Google's Threat Intelligence Group (GTIG) said today it has high confidence it discovered the first real-world case of criminals using an AI model to find and weaponize a zero-day vulnerability โ a previously unknown flaw โ in a planned mass-exploitation campaign. The target: a popular open-source web-based administration platform with a two-factor authentication bypass. Google worked with the unnamed vendor to quietly patch the bug before the campaign could spread, which GTIG believes disrupted the attack before it gained traction. The model used wasn't Gemini. This is the first time defenders have publicly confirmed AI-built exploits moving from research papers and theoretical concerns into actual criminal operations against actual systems.
How Google knew AI was involved is the interesting part for non-specialists. The exploit code had what GTIG called telltale signs of being machine-generated: a "hallucinated" severity score (one that looked official but didn't match any real database), unusually textbook-perfect Python formatting, detailed help menus that human attackers don't typically write, and educational-style code comments characteristic of training data โ the kind of explanations you'd find on Stack Overflow or in tutorials, written into an exploit by a model that learned how exploits look from public examples. Real human attackers ship terse, scrappy code; this exploit looked like it was written by a very competent intern who learned hacking from documentation. That signature is what flagged the campaign for analysis. It also means defenders have a new class of forensic markers to watch for, at least until attackers learn to strip them.
The broader picture in the GTIG report puts this in context. North Korea's APT45 group is reportedly using AI to run thousands of automated exploit-feasibility checks against potential targets โ turning what was once expert human work into a brute-force throughput problem. Chinese state-linked operators are experimenting with AI systems for vulnerability hunting and automated probing of target networks. The progression is what security researchers have been warning about for two years: AI lowers the cost and skill barrier for offensive security work faster than it raises the cost for defense, and now we're past the warning stage and into the documented-incidents stage. Defenders have AI tools too (Mozilla wrote up its AI security-bug-hunting pipeline for Firefox the same week), and the race is genuinely ongoing โ but the asymmetry that one successful AI-built exploit can target millions of systems while one AI defender helps one organization is real and not going away.
What this means for everyday users and builders. For anyone running consumer software, the practical effect over the next 12-24 months is more frequent patches, more urgent update prompts, and probably some incidents where AI-discovered bugs get exploited faster than vendors can ship fixes. Keeping things updated has always mattered; it matters more now. For organizations running open-source administrative tools (think anything with a web admin panel), the threat model just shifted โ assume your dependencies are being scanned by AI systems looking for previously-overlooked flaws, and prioritize updating the lower-traffic admin tooling that historically gets less attention. For builders deploying AI into security products, the GTIG signal is that the defender side of the AI security arms race is now openly visible and funded; this is going to be a category that gets serious investment over the next two years. The honest takeaway: AI-built attacks moved from "future risk" to "happening now" with this disclosure, and the security industry's response is going to define how disruptive the transition becomes.