Google found a zero-day exploit that it believes was entirely developed by an AI model — and stopped the attack before it ever reached production systems.
The find came from Google’s Threat Intelligence Group, which spotted a Python script targeting a semantic logic flaw in a popular open-source sysadmin tool. The exploit bypassed two-factor authentication by exploiting a hardcoded trust assumption — the kind of subtle design-level bug that traditional vulnerability scanners don’t catch. The code had all the hallmarks: hallucinated CVSS scores, textbook-style docstrings, and the structured formatting typical of LLM output.
The threat actor behind it was planning a mass exploitation event. Google worked with the affected vendor to patch the vulnerability before it was ever weaponised at scale.
🔍 THE BOTTOM LINE
The first confirmed AI-written zero-day exploit in the wild means the theoretical risk we’ve been warning about just became a logs-entry incident. The gap between “AI can help find bugs” and “AI can autonomously weaponise them” just closed.
Google’s GTIG report documents a shift from experimental to industrial-scale AI hacking
The report, published Monday, covers far more than one exploit. It maps a maturing ecosystem where state-sponsored actors from China, North Korea, and Russia are now using AI to find and weaponise vulnerabilities at scale.
Key findings:
- AI-developed exploits are here. The zero-day Google found was a Python script that exploited a semantic logic flaw — not a memory corruption bug or input validation error, but a design-level mistake in 2FA trust logic.
- AI-augmented coding for defence evasion. Russia-linked threat actors are using AI-generated decoy code to hide malware targeting Ukrainian systems.
- Autonomous malware. An Android malware called PROMPTSPY uses Google’s own Gemini API to navigate victim devices, capture biometric data, and block its own uninstallation — without human operators.
- Supply chain attacks on AI ecosystems. Groups like TeamPCP are targeting AI software dependencies as initial access vectors.
“The AI cybersecurity arms race that experts warned about is no longer theoretical,” the report states. “It is in Google’s incident response logs.”
What makes this exploit different
Cybersecurity researchers have been using AI to find vulnerabilities for months — that’s not news. What’s new here is the generation of a working exploit from scratch, targeting a logic-level vulnerability that no automated scanner would have found.
The exploit code contained educational comments, fake but realistic CVSS scores, and structured formatting — signatures of LLM-generated output. This wasn’t a researcher using AI as a helper tool. An AI model appears to have identified the vulnerability, written the exploit, and provided the documentation an attacker would need to deploy it.
The implications for enterprise security
For IT teams and security operations centres, this changes the threat model in a few uncomfortable ways:
- Vulnerability discovery is now asymmetric. Attackers can ask an AI to find logic-level flaws; defenders are still largely reliant on signature-based detection and manual code review.
- The cost of finding zero-days just dropped to nearly zero. Any threat actor with API access to a capable model can now attempt exploit generation.
- AI-on-AI defence is becoming necessary. Google stopped this attack because its Threat Intelligence team was actively hunting for this kind of activity — but most organisations don’t have Google-level resources.
🗣️ Editorial Voice
A lot of security researchers have spent the last two years saying “it’s only a matter of time before someone uses AI to write a working zero-day.” Well, that time is now. And the fact that Google stopped this one before it was deployed doesn’t mean the next one will be so lucky.
What’s genuinely worrying is the asymmetry. The defender has to find every vulnerability; the attacker only needs one. If AI lets attackers generate working exploits at near-zero marginal cost, the economics of offensive security just got terrifyingly favourable for the bad guys.
The PROMPTSPY finding is almost worse in its own way — malware that uses Gemini’s API to navigate a victim’s phone autonomously? That’s not a script. That’s an agent. And it’s already in the wild.
❓ Frequently Asked Questions
Q: Is this the first AI-developed exploit ever? It’s the first one Google has confirmed with high confidence. There are almost certainly others that haven’t been detected yet.
Q: How did Google stop it? GTIG researchers identified the exploit script, traced it to the vulnerability it targeted, worked with the affected vendor to patch the flaw, and disrupted the broader operation before mass exploitation began.
Q: What does this mean for NZ businesses? Most NZ enterprises rely on enterprise software that could contain the same class of logic-level vulnerabilities. The traditional approach of “patch when a CVE comes out” is no longer sufficient — attackers can now find and exploit flaws before they’re publicly disclosed. NZ’s CERT and security teams need to be watching this space closely.
Q: Can AI defences keep up? Google argues that AI-on-AI defence is the required response. Traditional signature-based detection won’t catch AI-generated exploits that mutate between deployments. This is going to require a fundamentally different security architecture.
🔍 THE BOTTOM LINE
The AI cybersecurity arms race just entered its industrial phase. The first confirmed AI-written zero-day has been found, stopped, and documented — but it won’t be the last. Organisations that aren’t planning for an AI-enabled threat landscape are already behind.
SOURCES
- Google Threat Intelligence Group — Adversaries Leverage AI for Vulnerability Exploitation
- The Next Web — Google identifies first AI-developed zero-day exploit
- The Verge — Google stopped a zero-day hack developed with AI
