Google: First AI-built zero-day found in the wild
Google’s Threat Intelligence Group stopped a Python exploit in early May that bypassed two-factor authentication on a popular open-source admin tool and showed large language model signals.
Google’s Threat Intelligence Group (GTIG) detected and neutralized what it describes as the first known AI-built zero-day exploit in the wild in early May. The malicious code was a Python script crafted to bypass two-factor authentication on a widely used open-source system administration tool; Google did not identify the vendor.
The script carried tutorial-style docstrings and a fabricated Common Vulnerability Scoring System score, features GTIG says point to authoring with a large language model. Google noted its Gemini model was not used in the attack. GTIG reported that its proactive discovery likely prevented a planned wide-scale exploitation and that it provided limited technical details while affected parties work to patch the flaw.
GTIG’s accompanying report flags several other developments. The report identifies malware families labeled PROMPTFLUX and PROMPTSPY and describes an Android backdoor that queries Gemini in real time to determine its next steps. Investigators also found activity by groups linked to China and North Korea training private models on a dataset of roughly 85,000 known vulnerabilities to automate discovery and exploitation workflows.
To counter those threats, Google described two defensive systems. Big Sleep is an autonomous agent designed to hunt for zero-days before attackers find them, and CodeMender is an automated patching system. Google reported that Big Sleep already closed a flaw that adversaries were preparing to weaponize.
John Hultquist, chief analyst for GTIG, warned, “Each new generation of models will reduce the need for expert-developed harnesses, but they are almost certainly out there. We have to recognize the limits of our visibility into the backend of spies and criminals. The signs won’t be obvious. The race has started already.” The report calls for broader attention to detection gaps and the limits of current visibility into attacker infrastructure.
The report also addresses risks to cryptocurrency infrastructure. Separate analysis from an industry research team found autonomous AI agents exploit smart contracts at roughly twice the rate they detect vulnerabilities. GTIG cited prior incidents in which AI-assisted tools were used to drain wallets and referenced a browser flaw that exposed private keys. Some exchanges and custodians are building AI-based defenses in response.
GTIG’s findings note that both attackers and defenders are deploying autonomous agents. The report highlights implications for patch management, vulnerability disclosure and the security of systems that hold or guard financial assets as organizations apply AI to both offense and defense.








