Google's Threat Intelligence Group just published something that should unsettle anyone running production infrastructure: the first confirmed zero-day exploit developed with AI assistance, spotted in the wild before it could be deployed.
What Google Found
The exploit targeted an unnamed "open-source, web-based system administration tool" and would have bypassed two-factor authentication at scale. Google's researchers believe "prominent cyber crime threat actors" planned a mass exploitation event.
The tell? The Python script contained a "hallucinated CVSS score" and "structured, textbook" formatting consistent with LLM training output. It's the kind of artifact that screams AI authorship — a model confidently fabricating a severity rating that doesn't exist in the real scoring database.
The Trust Assumption Kill
The vulnerability itself is almost elegant in its simplicity: a hardcoded trust assumption in the platform's 2FA system. The developer assumed that if 2FA was enabled, it was enforced. The AI found the gap between those two statements and wrote an exploit that walks right through it.
This is what AI-assisted offensive security looks like in practice. Not Hollywood-level autonomous hacking. Just a model that reads code faster than humans, spots logical flaws that humans miss, and generates working exploits with the confidence of a student who never learned what they don't know.
The Hallucination Problem Cuts Both Ways
The hallucinated CVSS score is the most interesting detail. We usually talk about AI hallucinations as a reliability problem — the model makes stuff up, we can't trust it. But here, the hallucination became forensic evidence. It was the signature that let Google identify AI involvement.
Future attackers will strip those artifacts. They'll clean the formatting, remove fabricated scores, add plausible human comments. This exploit was caught because it was sloppy. The next one won't be.
What Google Is Watching Next
The report goes further. GTIG has observed adversaries increasingly targeting the components that give AI systems their utility — autonomous skills and third-party data connectors. Hackers are also using "persona-driven jailbreaking" to get AI to find vulnerabilities for them, feeding models whole vulnerability databases and using tools like OpenClaw to refine payloads in controlled settings before deployment.
The cat-and-mouse game isn't human vs. human anymore. It's AI vs. AI, with humans trying to keep score.
The Verdict
Google says they disrupted this particular attack. That's good. But the real story is that the barrier to entry for sophisticated exploitation just dropped to "prompt an LLM and clean up the output."
The AI security community has been warning about this for years. Now it's happened. The next question isn't whether AI will be used to develop exploits. It's whether defense can scale as fast as offense when both sides are running at inference speed.
Published May 12, 2026. Source: Google Threat Intelligence Group report.