Google Catches First AI Zero-Day Exploit: A Warning Shot for Crypto Security?
Google's Threat Intelligence Group detected and neutralized the first AI-generated zero-day exploit used by hackers to bypass two-factor authentication on an open-source tool, preventing a large-scale attack. The incident highlights the growing use of AI by threat actors to enhance cyber intrusions, prompting defenders to develop AI-driven countermeasures amid increasing risks from state-linked malware. Experts warn that more subtle AI-assisted attacks may already be occurring undetected, signaling an escalating cyber arms race.
Google’s Threat Intelligence Group caught a criminal hacking crew using an AI-built zero-day exploit live in the wild for the first time, neutralizing a planned mass attack before it could trigger. The finding sits within a wider report showing that attackers now weave large language models into every stage of an intrusion. Defenders are racing to deploy their own AI hunters across the same fight. How the AI Zero-Day Exploit Worked The malicious code, written in Python, bypassed two-factor authentication (2FA) on a popular open-source system administration tool. Google has not named the affected vendor. The Google Threat Intelligence Group has detected the first known instance of a threat actor using an AI-developed zero-day exploit in the wild. While the attackers planned a wide-scale strike, our proactive counter-discovery may have prevented that from happening. This finding…— News from Google (@NewsFromGoogle) May 12, 2026 Follow us on X to get the latest news as it happens Several signals pointed to a large language model author. The script carried tutorial-style docstrings and a fabricated Common Vulnerability Scoring System (CVSS) score, a metric no human researcher would invent. Google said its own Gemini model was not used. GTIG chief analyst John Hultquist warned that subtler AI-assisted intrusions may already be in motion undetected. “Each new generation of models will reduce the need for expert-developed harnesses, but they are almost certainly out there. We have to recognize the limits of our visibility into the backend of spies and criminals. The signs won’t be obvious. The race has started already,” he said. Defenders Push Back The same report flagged Russian-linked malware families PROMPTFLUX and PROMPTSPY, an Android backdoor that pings Gemini in real time to plan its next action. State-linked Chinese and North Korean operations are training private models on an 85,000-vulnerability dataset. Google countered with Big Sleep, an AI agent that hunts ...
Comments
Log in to comment