VYPR
researchPublished May 11, 2026· Updated May 17, 2026· 1 source

Google Identifies First AI-Developed Zero-Day Used in the Wild

Google researchers have uncovered the first known instance of a zero-day exploit developed with the help of AI, used by threat actors to facilitate a mass 2FA bypass campaign against a popular web administration tool.

Google’s Threat Intelligence Group (GTIG) has identified a zero-day vulnerability in a popular open-source web administration tool that was reportedly developed with the assistance of artificial intelligence. This incident marks the first documented instance of AI being utilized in the wild to facilitate both the discovery and weaponization of a security flaw for a large-scale exploitation campaign The Hacker News.

The vulnerability itself is a high-level semantic logic flaw that allows attackers to bypass two-factor authentication (2FA) mechanisms, provided they already possess valid user credentials. According to GTIG, the exploit was delivered via a Python script that exhibited clear indicators of being generated by a large language model (LLM). These hallmarks included an abundance of educational docstrings, a hallucinated CVSS score, and a highly structured, textbook Pythonic format, such as the use of clean _C ANSI color classes and detailed help menus The Hacker News.

The flaw stems from a hard-coded trust assumption within the application's logic—a type of vulnerability that researchers note LLMs are particularly adept at identifying during code analysis. While Google has not disclosed the specific name of the affected administration tool, they confirmed that they worked directly with the vendor to ensure the vulnerability was patched before the threat actors could achieve their goal of mass exploitation The Hacker News.

This campaign underscores a significant shift in the threat landscape, where AI acts as a force multiplier for cybercriminals. Beyond vulnerability research, AI is increasingly being used to create polymorphic malware and autonomous agents. A separate, concurrent investigation by Google into Android malware named "PromptSpy" revealed how attackers are using AI to navigate user interfaces, capture biometric data for authentication replay, and even prevent uninstallation by using invisible overlays to block user touch events on the "Uninstall" button The Hacker News.

The PromptSpy malware further demonstrates the operational resilience afforded by modern tooling, as it can dynamically update its command-and-control (C2) infrastructure, including Gemini API keys and VNC relay servers, without requiring a redeployment of the main payload. These developments suggest that the timelines for vulnerability discovery, weaponization, and exploitation are compressing rapidly The Hacker News.

As AI-driven exploitation moves from theoretical concern to operational reality, the security community faces a future where attackers can automate complex attack chains with unprecedented speed. This trend toward autonomous, AI-assisted cyber operations suggests that defenders must prepare for a landscape where traditional manual response times are no longer sufficient to mitigate the risks posed by rapidly evolving, machine-generated threats The Hacker News.

Synthesized by Vypr AI
Google Identifies First AI-Developed Zero-Day Used in the Wild · VYPR