Google Finds Hackers Used AI for First Zero-Day Exploit

Researchers at Google Threat Intelligence Group (GTIG) have identified what they believe is the first case of a threat actor using AI to develop a zero-day exploit. The exploit targeted a popular open-source web administration tool and was designed to bypass its two-factor authentication protection. The tool itself was not named in the report.

Although the attack was foiled before reaching the mass exploitation phase, the incident illustrates that threat actors are relying more on AI assistance for vulnerability discovery and exploitation efforts. Google notified the software developer about the significant threat, enabling timely action to disrupt the attack.

GTIG reached its conclusion with high confidence after examining the structure and content of the Python exploit code. The script contains an abundance of educational docstrings, including a hallucinated CVSS score, and uses a structured, textbook Pythonic format highly characteristic of LLMs training data.

The large language model used remains unclear. Google explicitly rules out the possibility that its Gemini model was involved in the process.

Additional evidence of AI involvement is the nature of the vulnerability itself. It was a high-level semantic logic bug that AI systems excel at identifying, rather than memory corruption or input sanitization issues typically uncovered through fuzzing or static analysis.

The GTIG researchers stated in their report, "For the first time, GTIG has identified a threat actor using a zero-day exploit that we believe was developed with AI." The report was published on May 11, 2026.

This case marks a notable shift in how adversaries are using AI tools, with the Python code's characteristics providing clear indicators of large language model generation.