Google says it caught the first AI-generated zero-day exploit before mass deployment

Google’s Threat Intelligence Group published a post on May 11, 2026 disclosing that it has “high confidence” it observed a criminal threat actor using an AI model to author a working zero-day exploit, a previously unknown software flaw, that bypassed two-factor authentication on a popular online system administration tool. Google said the attacker planned a “mass exploitation event” but was disrupted before the operation caused damage; the affected vendor and law-enforcement partners have been notified.

Google’s chief analyst on the threat intel team, John Hultquist, framed it as “the moment cybersecurity experts have warned about for years”: malicious actors using frontier AI not just to write phishing emails or polymorphic malware, but to discover and weaponize software flaws that human researchers had not yet found.

Why this matters

Until today, the AI-and-cybersecurity story has been told mostly by the labs themselves, OpenAI’s GPT-5.5-Cyber, Anthropic’s Mythos, and similar programs marketed as defensive tools that uplift blue teams more than red teams. Google’s disclosure is the first concrete data point that the offensive side has caught up enough to ship a working zero-day inside an active intrusion plan.

It also lands one week after OpenAI’s May 7 announcement of GPT-5.5-Cyber’s limited-preview rollout, and on the same day that OpenAI extended that program to EU defenders. The juxtaposition is unflattering for the broader narrative: the same week the major labs are publishing defender-side announcements, the offense side has reached “AI authored an exploit that bypassed 2FA on real production systems.”

For frontier-model providers, this means three things land in their lap simultaneously:

1. Regulators get a concrete case to point at when arguing for capability evaluations and red-team disclosures.
2. Insurance underwriters get a new exposure category, AI-developed exploits, that they will price separately.
3. Enterprise buyers will start asking which model the attacker used, and whether their own choice of frontier model carries the same offensive risk.

Google has not publicly named the model used by the attacker.

Buyer take

Three things every security team should do this week:

• Re-verify your 2FA posture. The disclosed exploit specifically bypassed 2FA on a sysadmin tool Google declined to name. If you rely on TOTP-based 2FA for privileged-access workflows, accelerate the move to phishing-resistant authentication (FIDO2, passkeys, hardware keys). OpenAI is already mandating this for its most-permissive cyber-program users from June 1.
• Treat your patch cadence as an AI exposure. The window between AI-generated proof-of-concept and AI-generated mass exploitation is now measurably tight. If your patching baseline is “within 30 days of disclosure,” that is a posture from a different threat era.
• Demand AI-uplift testing from your vendors. Anyone selling you a frontier model for cyber workflows, defensive or otherwise, should be able to describe their internal evaluations for offensive-cyber uplift and their disclosure pipeline for newly observed attacker behavior.

What is still unclear

Google did not name the AI model used by the attacker, the sysadmin tool that was targeted, or the threat actor responsible. It also has not disclosed how it detected the AI fingerprints inside the exploit chain, meaning other defenders cannot yet build the same signal into their own tooling. Expect more detail through coordinated disclosure over the coming weeks, and expect competing labs (Anthropic, Microsoft, OpenAI) to publish their own observed-attacker writeups in response.