Hackers Used AI to Build a Working Zero-Day Exploit, Google Says — What It Means for Your Two-Factor Logins

For years, security researchers warned that generative AI would eventually let criminals find and weaponize software flaws faster than defenders can patch them. This week, Google said that future has arrived.

On May 11, 2026, the Google Threat Intelligence Group (GTIG) published its AI Threat Tracker report, “Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access.” The headline finding: GTIG identified what it calls the first observed case of a financially motivated threat actor using an AI model to develop a working zero-day exploit, then preparing to deploy it at scale before the company intervened.

“For every zero-day we can trace back to AI, there are probably many more out there,” John Hultquist, chief analyst at Google’s threat intelligence group, said in interviews tied to the report.

What Google actually found

According to the GTIG report, the zero-day was a Python script designed to bypass two-factor authentication on “a popular open-source, web-based system administration tool.” Google did not name the product, citing responsible-disclosure rules: GTIG said it “worked with the impacted vendor” to patch the flaw before publishing.

A few details from the writeup stand out. The exploit code was unusually well documented, with what GTIG described as “an abundance of educational docstrings, including a hallucinated CVSS score” — a tell-tale sign that a large language model generated it. The bypass technically requires a set of valid user credentials to start, so it is not a fully remote takeover. But Google said the criminal group behind it was already partnering with other actors “to plan a mass vulnerability exploitation operation,” meaning the goal was to hit targets at scale rather than picking off a handful of victims.

Crucially, GTIG said it does not believe its own Gemini model was used. The agency assessed with “high confidence” that the attackers relied on a separate AI model, without naming it.

Why this matters for ordinary users

Most readers will never log into the obscure server tool that was targeted. The reason the story matters anyway is what it signals about the broader threat curve.

GTIG’s report describes a much wider pattern. A North Korean state-linked group it tracks as APT45 is sending “thousands of repetitive prompts” to AI systems to recursively analyze public CVEs and validate proof-of-concept exploits — essentially using a chatbot as an automated vulnerability research assistant. A China-linked group, APT27, used Gemini to build a fleet-management app for a covert proxy network. And Google detailed a new family of Android malware, PROMPTSPY, that calls a Gemini model in real time to navigate a victim’s phone, simulate taps and swipes, and capture biometric prompts to replay PINs and unlock patterns.

The takeaway is that AI is not yet giving attackers brand-new superpowers. It is making the tedious parts of cybercrime — writing decoy code, sifting through old vulnerability databases, drafting convincing phishing lures, automating navigation through a phone’s UI — dramatically cheaper. That accelerates the timeline between when a flaw is discovered and when it shows up in a mass campaign. It also raises the bar for everyone who relies on the same defenses they have used since 2015.

This is the same theme we covered when we wrote about the new AI scam that mimics your boss’s voice and empties your bank account: generative AI is industrializing techniques that used to require human craftsmanship.

Three things to do today

The GTIG report does not give consumer-level advice, but its findings line up with what U.S. agencies — the FTC, the FBI, and CISA — have been recommending for the last year. If you do nothing else this week, focus on three habits.

• Stop using SMS codes as your only second factor when an alternative exists. Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) or a hardware security key like YubiKey for any account that holds money, email access, or identity documents. SMS codes can be intercepted; passkeys and security keys cannot be phished the same way.

• Audit which apps run silently on your phone. The PROMPTSPY family disguises itself as a regular app and overlays an invisible layer on top of the Uninstall button so victims cannot remove it. The fix is to review your installed apps from the system settings (not from the app drawer), revoke Accessibility permissions for anything you do not recognize, and use the official phone-by-phone instructions we covered in our guide on how to know if someone is spying on you through your phone’s camera.

• Treat password reuse as a financial risk, not just a tech one. The Google-flagged exploit only worked because the attackers expected to harvest valid credentials elsewhere first. Use a password manager (1Password, Bitwarden, the one built into iOS or Chrome), turn on breach alerts, and never reuse the password from your email account anywhere else. Your inbox is the master key to every other account; protect it like cash.

The bigger picture for AI security

GTIG’s report fits into a busier policy week. On May 5, the U.S.Center for AI Standards and Innovation (CAISI) announced agreements with Google DeepMind, Microsoft, and xAI that will let the government evaluate frontier AI models before public release. The deals build on similar arrangements with OpenAI and Anthropic dating to 2024. The unspoken subtext is exactly what GTIG’s findings describe: regulators no longer believe the major labs alone can spot every malicious use of their tools.

For enterprises, the implication is that AI itself is becoming part of the attack surface. We have written before about how shadow AI raises new security risks for employees and the companies that hire them; that risk just got more concrete.

For investors, the bigger lesson is sectoral. Spending on AI-aware cybersecurity — endpoint detection vendors, identity-management providers, and the cloud security units inside Microsoft, Google, and Palo Alto Networks — is the budget line nobody is cutting in 2026. Every disclosure like this week’s strengthens that thesis.

For everyone else, the practical message is older and simpler than any AI debate. Turn on a real second factor. Stop reusing passwords. Assume the next phishing email or weird Android prompt was written by a model, not a person. The criminals already do.

Sources: Google Threat Intelligence Group, “Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access,” May 11, 2026; Bloomberg News, “Hackers Used AI to Build Zero-Day Attack, Google Researchers Say,” May 11, 2026; Fortune, “Google Issues Dire Warning After Catching Hackers Using AI,” May 11, 2026; CNBC, “Google says it likely thwarted effort by hacker group to use AI for ’mass exploitation event’,” May 11, 2026; U.S. Department of Commerce / CAISI announcement on Google, Microsoft, xAI government model testing, May 5, 2026.