AI Built a Working Zero-Day. Google Found It First.

On May 11, Google's Threat Intelligence Group published a report confirming what the security community has been bracing for: the first known zero-day exploit developed with the assistance of an AI model. Not a proof-of-concept. Not a jailbreak demo. A working exploit script, written in Python, that bypasses two-factor authentication on a widely deployed open-source web administration tool — built by criminal threat actors who planned to use it for mass exploitation.

Google caught it before they pulled the trigger.

What GTIG Found

The exploit targets a logic flaw — a hardcoded trust exception in the authentication flow of an unnamed but popular web-based admin tool. The kind of bug that's hard to find by scanning code, because nothing looks broken at the syntax level. The vulnerability exists at the semantic layer: the developers assumed a specific execution path would always be trusted, and the 2FA check could be bypassed entirely by exploiting that assumption.

GTIG researchers identified the exploit as a Python script with several telltale markers of AI generation. Clean ANSI color classes organized with a consistency that human developers rarely bother with. Detailed docstrings written in an educational, almost tutorial-like tone. A fabricated CVSS score embedded in the script itself — something no human exploit developer would include, but exactly the kind of thing an LLM does when it's trying to be helpful. The code structure follows textbook Pythonic formatting patterns characteristic of LLM training data.

The researchers assessed with "high confidence" that an AI model was used to discover and weaponize the vulnerability. They couldn't confirm which model — there's no evidence it was Gemini — but the fingerprints were unmistakable.

What made this different from every previous AI-assisted hacking incident is the nature of the vulnerability itself. This wasn't an AI regurgitating a known exploit from its training data. The bug hadn't been publicly disclosed. The AI found a zero-day, understood why it mattered, and wrote working exploit code to abuse it.

Google coordinated with the affected vendor to patch the flaw before the mass exploitation campaign could launch. The vendor's name hasn't been released.

The Assembly Line Behind It

GTIG's report wasn't just about one exploit. It painted a picture of an entire operational shift.

North Korea's APT45 has been sending thousands of repetitive prompts to AI models, recursively analyzing CVEs and validating proof-of-concept exploits at industrial scale. This isn't sophisticated tradecraft. It's brute-force vulnerability research — feed an AI model a CVE, ask it to check if the PoC works, ask it to find variations, repeat thousands of times. The AI does the grunt work. The operators decide what to target.

The implications are straightforward. Organizations with known, unpatched CVEs in their environment will get targeted faster than ever before. The bottleneck used to be the human labor required to triage, analyze, and weaponize a vulnerability report. That bottleneck is gone.

Russian state-backed group APT28 (also tracked as FROZENLAKE) took a different approach. Their malware family, PROMPTSTEAL, queries a locally hosted instance of Qwen2.5-Coder-32B-Instruct — an open-source language model — to generate one-line Windows commands for document theft during live operations against Ukrainian targets. This is the first confirmed case of state-sponsored malware querying an LLM during execution. Not during development. During execution.

The malware uses the model as a runtime co-pilot. It asks the LLM how to find documents in specific folders, how to exfiltrate them to its C2 server, and how to cover its tracks — all in real time, all in production, all targeting Ukraine. APT28 isn't using AI to write malware. They're using AI inside malware.

Then there's PROMPTFLUX, a VBScript dropper first spotted by GTIG in June 2025 that uses the Gemini API to rewrite its own source code on an hourly basis. Every hour, it queries the model and generates fresh variants of itself. Signature-based detection becomes a game you structurally cannot win, because the malware you're looking for stops existing within sixty minutes.

PROMPTFLUX is still in testing phases. It hasn't been deployed at scale. But the concept is proven: malware that mutates faster than signature databases can update.

The Numbers Say the Same Thing

Mandiant's M-Trends 2026 report, published in March and based on over 500,000 hours of frontline incident response, quantifies the shift from a different angle. Mean time-to-exploit has dropped to an estimated negative seven days.

That number deserves a second read. Negative seven days. The traditional security model assumes a sequence: vulnerability is found, vendor is notified, patch is developed, patch is deployed, and somewhere in that window attackers might try to exploit it. The entire patch management discipline is built on the assumption that defenders get at least some lead time.

That assumption is broken. 28.3% of CVEs are now exploited within 24 hours of disclosure. And with AI-assisted vulnerability research running at industrial scale, the gap will get wider, not narrower.

Exploits remain the leading initial access vector for the sixth consecutive year. The M-Trends report also documented "distillation attacks" — attempts to extract proprietary logic and training data from high-value machine learning models. Your AI is both the weapon and the target.

The Supply Chain Angle

While nation-states were industrializing vulnerability research, a financially motivated group called TeamPCP (tracked by Google as UNC6780) was compromising the AI development supply chain itself.

In late March 2026, TeamPCP pulled off supply chain compromises of multiple popular GitHub repositories including Trivy, Checkmarx, and LiteLLM. LiteLLM alone has over 95 million monthly PyPI downloads. It's the proxy layer that thousands of organizations use to route requests between different LLM APIs.

The payload: SANDCLOCK, a multi-stage credential stealer that harvests over 50 credential paths including AWS Secrets Manager contents, SSM parameters, GitHub tokens, and API keys. Version 1.82.8 of the compromised LiteLLM package fires on every Python process startup via a .pth file — not just when LiteLLM is imported. If you had it installed, every Python script on your system was potentially exfiltrating credentials.

Google considers UNC6780 a top-tier financially motivated threat actor. Mandiant estimated over 1,000 compromised SaaS environments from this campaign alone.

This is the convergence point. AI tools are being used to find and exploit vulnerabilities. AI infrastructure is being targeted for supply chain attacks. And AI-enabled malware is querying language models in real time to evade detection. The attack surface isn't growing linearly. It's compounding.

What You Can Do

1. Audit your AI dependencies now. If you use LiteLLM, verify you're on version 1.83.0 or later — the first clean release after the TeamPCP compromise. Run pip show litellm and check. Look for unexpected .pth files in your Python site-packages directory.

2. Rotate credentials exposed to AI tooling. If any of your AI services, LLM API keys, cloud credentials, or tokens touched an environment that ran a compromised package, rotate them. SANDCLOCK targeted 50+ credential paths. Assume the worst.

3. Treat time-to-patch as a survival metric. With mean time-to-exploit at negative seven days, the old cadence of monthly patching is a liability. If you have known CVEs in your environment, they are being scanned for — possibly by AI — at industrial scale. Prioritize ruthlessly.

4. Pin your dependencies and verify checksums. The TeamPCP campaign succeeded because organizations pulled the latest version without verification. Use lock files. Verify package integrity. Consider mirroring critical packages internally.

5. Assume your 2FA isn't bulletproof. The GTIG zero-day bypassed 2FA through a logic flaw, not a brute-force attack. Hardware security keys (FIDO2/WebAuthn) are more resistant to this class of bypass than TOTP or SMS codes. If you're still using SMS-based 2FA for administrative access to anything, stop.

6. Watch for AI fingerprints in incident response. If your team finds scripts with unusually clean documentation, tutorial-style comments, or fabricated metadata like hallucinated CVSS scores — treat that as a signal, not a coincidence. It's a marker that AI-generated tooling was used in the attack chain.

Where This Leaves Us

I've been expecting this report for about a year. The "will AI write exploits?" debate always felt like a question of when, not if. Now we have the answer: it already has.

But the part of the GTIG report that stuck with me wasn't the zero-day itself. It was the description of APT45's workflow — thousands of repetitive prompts, recursively analyzing CVEs, validating exploit code. No sophistication. No clever jailbreaks. Just volume. AI doesn't need to be creative to be dangerous. It just needs to be tireless.

The asymmetry is stark. Defenders patch on human schedules. Attackers scan on machine schedules. And now the tooling that finds vulnerabilities, writes exploits, and evades detection is available as a commodity — to criminal groups, state actors, and anyone with an API key.

Google caught this one. The vendor patched it. The mass exploitation campaign didn't happen. But GTIG's own report makes clear this is not an isolated incident — it's a pattern emerging across multiple threat actors, multiple nation-states, and multiple malware families simultaneously. The question isn't whether AI-generated exploits will become routine. It's how fast.

Sources: The Hacker News, Google Cloud Blog — GTIG AI Report, CNBC, Google Cloud Blog — M-Trends 2026, SecurityWeek, Infosecurity Magazine, Datadog Security Labs — LiteLLM Compromise, Tom's Hardware