Google's Threat Intelligence Group (GTIG) said on May 11, 2026 that it has identified — for the first time — a zero-day exploit it believes was developed with the help of artificial intelligence, and staged for use by a "prominent" cybercrime group in a live operation. Google said the planned attack was blocked before it could become what GTIG described as a potential "mass exploitation event."
What GTIG found
The exploit was a Python script designed to bypass two-factor authentication on a "popular open-source, web-based system administration tool" that Google declined to name. GTIG said it worked with the vendor to close the vulnerability and disrupt the campaign before the zero-day could be used widely. The underlying bug was a semantic logic flaw — the kind of reasoning error large language models are comparatively good at spotting — rather than the memory-corruption issues that traditional fuzzing typically surfaces.
How they could tell AI was involved
GTIG's analysts pointed to tell-tale fingerprints in the code: an abundance of "educational" docstrings, a hallucinated CVSS score, and a tidy, textbook-Pythonic structure characteristic of LLM training data. Google said it does not believe its own Gemini model was used; which model produced the exploit code is unclear.
"For the first time, GTIG has identified a threat actor using a zero-day exploit that we believe was developed with AI," the group wrote. John Hultquist, GTIG's chief analyst, added: "There's a misconception that the AI vulnerability race is imminent. The reality is that it's already begun" — and warned the finding is likely "the tip of the iceberg," saying "for every zero-day we can trace back to AI, there are probably many more out there."
Part of a wider pattern
The report situates the case alongside other state-linked abuse of AI for vulnerability research that Google has tracked: a Chinese espionage cluster (UNC2814) trying to coax Gemini into analyzing TP-Link and other embedded-device firmware for bugs, and a North Korea-linked group (APT45) sending thousands of prompts to validate proof-of-concept exploits for known (n-day) flaws. Google also referenced activity tied to clusters it tracks as APT27, UNC5673 and UNC6201. In most of those cases the actors were chasing efficiency gains; the new case is different because AI appears to have helped uncover a previously unknown vulnerability.
Why it matters
Defenders have long argued AI cuts both ways — accelerating patching and code review as well as attacks. This is the clearest public evidence yet that the offensive side is no longer hypothetical, and it will sharpen pressure on AI providers to harden guardrails around exploit generation, on software vendors to invest in their own AI-assisted code auditing, and on policymakers weighing disclosure rules for AI-discovered bugs. It also carries a quieter lesson for defenders: GTIG caught this one through code analysis and coordinated disclosure before it did damage — a reminder that AI-generated artifacts can be noisy enough to detect.
