Google Detects First AI-Built Zero-Day in Wild Attack

Google's Threat Intelligence Group (GTIG) announced on May 11, 2026 that it has identified what it believes to be the first known zero-day exploit developed with the help of artificial intelligence to be used by a real-world criminal threat actor. The exploit — a two-factor authentication bypass in a widely deployed open-source web administration tool, implemented as a Python script — was caught and quietly patched before the attackers could trigger what GTIG describes as a planned "mass exploitation event."¹

What You'll Learn

• What GTIG actually found and why this is a different milestone from anything we've seen before
• The technical fingerprints that gave away the AI-generated origin of the exploit code
• How this differs from Anthropic's Claude Mythos and Project Glasswing — which is defensive
• Why John Hultquist's "it's already begun" framing matters for every security team
• What defenders should do this week, this quarter, and this year

TL;DR

On May 11, 2026, Google Threat Intelligence Group disclosed that a financially motivated cybercrime group used a frontier AI model to develop a working zero-day exploit for a 2FA bypass in a popular open-source web-based system administration tool. GTIG assessed with "high confidence" that the exploit code was written with significant AI assistance: the Python script contained extensive educational docstrings, a hallucinated CVSS score for a vulnerability that had never been assigned a CVE, and a "textbook" Pythonic structure characteristic of LLM-generated code. Google worked with the unnamed vendor to patch the bug quietly before the attackers could detonate a "mass exploitation event." GTIG did not name the affected vendor, the threat actor, or the specific AI model the attackers used — but explicitly stated it was confident the model was neither Google's Gemini nor Anthropic's Mythos Preview. The findings update GTIG's November 2025 AI threat report (PROMPTFLUX, FRUITSHELL) and confirm what the security community has been bracing for: AI-developed zero-days have arrived in the wild.²

Why This Is a Different Milestone

This is not the first time AI has been involved in a cyberattack. Adversaries have been using LLMs since 2023 for phishing-lure translation, social engineering scripts, junior-level recon work, and lightweight malware modification. GTIG's own November 2025 report catalogued PROMPTFLUX, a VBScript dropper that calls the Gemini API at runtime to mutate its own evasion code, and FRUITSHELL, a PowerShell reverse shell hardcoded with prompts designed to manipulate LLM-based defensive tools. Those are real, in-the-wild AI uses, and they are alarming.³

What separates the May 11 finding is the end-to-end ownership of a zero-day exploit pipeline by AI. The model didn't translate a phish or hand-wave a payload — GTIG assesses with high confidence that it identified a previously unknown semantic logic flaw, reasoned about a 2FA trust assumption, and produced a functional Python script that turned that flaw into an authentication bypass. That is the vulnerability discovery → weaponization → exploit code loop that human offensive security researchers spend careers building skill in. GTIG's own wording is that the threat actor "leveraged an AI model to support the discovery and weaponization of this vulnerability."⁴

The Technical Fingerprints That Gave It Away

GTIG's confidence in the AI-assisted origin of the exploit rests on three concrete signals in the Python script itself:

1. Hallucinated CVSS score. The script's documentation references a CVSS severity score for the underlying vulnerability — except the vulnerability had never been disclosed, never been assigned a CVE, and therefore never had an official CVSS calculation. The score appears to have been fabricated by the AI model from its training data's pattern of how exploit code is documented, not from any real scoring exercise. This is exactly the kind of "plausible-looking but objectively impossible" detail that distinguishes LLM-generated code from human-written code.⁵
2. Excessive educational docstrings. The script is filled with help text, in-line annotations, and structured comments at a density that no working exploit author would produce. Real exploit code from criminal groups is typically obfuscated, terse, and instrumented for stealth — not the textbook-style "this function performs a deterministic check against the X parameter" prose that GTIG observed.⁶
3. Clean, textbook Pythonic structure. The script uses a structured layout — a tidy _C ANSI color class for terminal output, detailed help menus, and an overall code shape that GTIG describes as "highly characteristic of LLM training data." Criminal exploit toolkits rarely look like Python tutorials; this one did.⁷

The underlying vulnerability is also instructive. GTIG's own description is that the 2FA bypass "stems from a high-level semantic logic flaw arising as a result of a hard-coded trust assumption, something LLMs excel at spotting." In other words: the code makes an assumption about who is trusted, that assumption holds in normal flow but breaks under adversarial input, and the model is good at noticing exactly that kind of mistake. The model reads the code, reasons about the assumption, and surfaces the case where it can be violated. That is intellectual work, not pattern matching.⁸

The Wider Threat Landscape: PROMPTFLUX, FRUITSHELL, and Now This

GTIG's May 2026 disclosure is an update to its November 2025 report, Advances in Threat Actor Usage of AI Tools. That earlier report identified three categories of adversarial AI use that the community should track:⁹

The May 11 finding closes the third row. It also implies the others are expanding — PROMPTFLUX was in an experimental development phase when GTIG documented it; the group's confidence interval on how mature these toolchains are has tightened considerably.

What Google Won't Tell You — and Why That's Defensible

Three things are not in the report, deliberately:

• The name of the vendor whose tool was vulnerable. GTIG worked with the vendor to patch quietly. Naming the product publicly would have created a window for adversaries who haven't yet patched to weaponize the same flaw before users updated.
• The name of the threat actor. GTIG describes the group only as having a "strong record of high-profile incidents and mass exploitation." That language strongly suggests an established financially-motivated group that the security community would recognize by name. Withholding that name limits attacker situational awareness about how Google's detection works.
• The specific AI model used. Google explicitly stated it was confident the model was neither Gemini nor Anthropic's Mythos Preview. That leaves a broad field: the most likely candidates are open-weights frontier models that can be run privately, or paid frontier APIs accessed through shared credentials. GTIG's choice not to specify is consistent with not handing attackers a "use this model, it works" recommendation.

This is responsible disclosure of a capability claim, not a marketing announcement. The shape of the finding matters more than the names of the specific players involved.

The Hultquist Quote That's Going to Get Cited a Lot

John Hultquist, chief analyst at Google Threat Intelligence Group, framed the disclosure in language that landed across every major outlet covering it. In remarks reported in the press around the disclosure, he said: "It's here. The era of AI-driven vulnerability and exploitation is already here." And in the official GTIG framing, he described the discovery as "the tip of the iceberg", adding that "this problem is probably much bigger; this is just the first tangible evidence that we can see."¹⁰

Two things are worth unpacking in that framing. First, Hultquist is explicitly correcting a misconception that the threat is in the near future. He is putting it firmly in the present tense. Second, the "tip of the iceberg" language concedes that GTIG's detection is signal-limited. Detection requires finding the artifacts: hallucinated scores, textbook structure, excessive docstrings. A more disciplined attacker who strips those tells from the AI-generated code before deployment leaves no obvious LLM fingerprint. Hultquist is saying, between the lines, that the group GTIG caught was loud. Quiet ones are likely already operating.

How This Sits Next to Anthropic's Project Glasswing

The juxtaposition with Anthropic's Project Glasswing, launched in April 2026, is striking. Anthropic restricted access to its most cyber-capable model — Claude Mythos Preview, announced April 7, 2026 — specifically to defenders, on the theory that giving 12 launch partners (AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself) plus over 40 additional critical-infrastructure organizations early defensive access would let them harden critical software before equivalent capability becomes widely available to attackers.¹¹

GTIG's May 11 finding is the strongest empirical evidence so far that Anthropic's bet matters. Defenders are not racing against a hypothetical future model — they are racing against attackers who already have an operational AI-assisted exploit pipeline. The Glasswing partner organizations have a head start measured in weeks, not years. Whether that head start is enough is now the central operational question for every CISO whose attack surface includes open-source administration tools — which is essentially every CISO.

What Defenders Should Do — This Week, This Quarter, This Year

GTIG's disclosure is short on prescriptive advice, but the threat-modeling implications are direct.

This week:

• Audit your open-source web administration tools for 2FA implementation depth. The specific tool GTIG references is unnamed, but the class — open-source, web-based system administration with a 2FA gate — describes dozens of widely deployed products. Look specifically for hard-coded trust assumptions in the authentication path: anywhere your code says "if the user got past step X, assume step Y is also valid," that is exactly the class of bug an LLM will notice.
• Patch aggressively, even on advisory-only releases. The vendor in this case patched quietly, which means many production systems are receiving the fix as a routine version bump rather than an urgent advisory. Treat all 2FA-adjacent patches in open-source admin tools as critical until proven otherwise this quarter.

This quarter:

• Add LLM-fingerprint detection to your exploit analysis pipeline. GTIG identified this exploit by the textbook docstrings, the hallucinated CVSS, and the clean Python structure. Your incident response analysts should be primed to recognize the same fingerprints when they appear in suspicious payloads on your network. This is becoming a real category of forensic signal.
• Stress-test your detection against AI-generated malware. PROMPTFLUX, FRUITSHELL, and now AI-developed exploit pipelines mean that the assumption "malware was written by a human and looks like a human wrote it" is now wrong. Red-team exercises that include LLM-generated payloads — easy enough to commission internally — will surface gaps in detection that your current playbooks don't anticipate.

This year:

• Treat AI-generated zero-day discovery as a structural threat, not an episodic one. If GTIG's "tip of the iceberg" framing is right, the operational rate of AI-developed exploits is set to rise non-linearly. Defenders who plan their 2026–2027 cycle around the assumption that previously-undisclosed vulnerabilities will be weaponized faster than they have been at any point in computing history will be closer to right than defenders who plan for a continuation of 2024-style timelines.

Bottom Line

The cybersecurity industry has spent two years arguing about when AI would meaningfully change the offensive side of the security balance. GTIG's May 11 disclosure settles that argument. AI-assisted zero-day exploitation is in the wild, was caught by accident in code that wasn't sanitized of its LLM fingerprints, and almost certainly has quieter, better-sanitized siblings already operating. The defenders' side has its own AI advantage — Anthropic's Project Glasswing, Google's own defensive use of Gemini, AISI's evaluation infrastructure — but the asymmetry is now real and bidirectional. Plan accordingly.