Google flags the first wild AI-built zero-day. It's a 2FA bypass, and the giveaway was a hallucinated CVSS score.

Google’s Threat Intelligence Group published a report on Monday that, underneath some unfortunately AI-flavoured framing, contains the first clean public example of something defenders have been bracing for. A cybercrime cluster has shipped an in-the-wild zero-day exploit that Google assesses, with high confidence, was built with the help of a large language model. Not as a research curiosity. As part of what GTIG describes as a “mass vulnerability exploitation operation.”

The bug is a 2FA bypass in an unnamed but popular open-source web-based system administration tool. Google worked with the vendor to patch and is keeping the product name out of the report until the rollout is complete. The exploit requires valid user credentials, so it’s not an unauthenticated remote code execution. It’s the post-credential half of the kill chain. Steal a password, defeat the second factor, full session. The underlying defect, in Google’s words, is a “high-level semantic logic flaw arising from a hard-coded trust assumption,” which is the polite security-research way of saying that somewhere in the codebase a developer decided that a particular value coming from a particular place could be trusted without a check, and an LLM is exactly the tool you’d reach for if you wanted to grep a codebase for that class of mistake at scale.

The reason GTIG is willing to put its name to the AI-authorship claim is the exploit script itself, which is full of the kind of giveaway a junior LLM user produces when they don’t think to sanitise the output. Educational docstrings. A textbook help menu. The clean, named “_C” ANSI colour class for terminal output that LLMs love. And, in the comments, a hallucinated CVSS score that maps to no real CVE — the kind of thing a model invents when prompted to make code look authoritative. None of that is conclusive on its own, but taken together it’s the same fingerprint shape that academic researchers have been pulling out of student-written and AI-assisted code for two years. The exploit was not laundered through a competent human reviewer before it shipped. That, by itself, tells you something about the operator’s confidence in the model.

The rest of the GTIG report fills in the operational picture around this one finding. There is a Gemini-abusing Android remote access trojan called PromptSpy that uses the live model to interpret what’s on the user’s screen and decide what to do next, including an “AppProtectionDetector” module that finds the on-screen coordinates of the Uninstall button and quietly draws an invisible overlay over it so the victim’s taps don’t register. A suspected China-aligned cluster, UNC2814, has been getting Gemini to role-play as a network security expert in order to coax vulnerability research out of it on TP-Link firmware and the OFTP protocol. APT45, the North Korean group, has been firing thousands of repetitive prompts at the model to validate proof-of-concept exploits for known CVEs. Russia-linked clusters targeting Ukraine are deploying malware (CANFAIL, LONGSTREAM) whose decoy code is itself LLM-generated. There is also a brisk grey-market economy of “shadow API” relay services hosted outside mainland China that offer cheap, unsanctioned access to Claude and Gemini — and which silently substitute weaker models for the ones being requested, with documented accuracy collapses on benchmarks like MedQA. The CISPA research that catalogues these is in the report’s footnotes; it’s worth reading separately.

So what should defenders actually do with this? The temptation, especially for press-office consumption, is to treat the AI-built exploit as the headline and the rest of the report as colour. That gets the lesson the wrong way round. The 2FA-bypass exploit was caught, disclosed and patched. The structural finding is that the discovery-to-weaponisation-to-exploitation cycle is now visibly compressing for the most ordinary kind of authentication bug, of the kind every large enterprise stack contains in volume. The economic effect of that compression is to push more attackers further down the cost curve. Bugs that were not worth burning a researcher on six months ago become worth a model session today.

For UK financial-services defenders the operational implication tracks what Proofpoint’s Ryan Kalember said about Anthropic’s Mythos a fortnight ago, and what the FCA has been telegraphing in its operational-resilience consultations. Faster patch cycles where you can, tighter blast-radius reduction where you can’t, and a working assumption that any new disclosure in a tool you depend on has a shorter fuse than its CVSS score suggests. The 2FA bypass in Google’s report is, structurally, a hard-coded trust assumption that survived code review. Look at your own estate, with that phrase in mind, and ask which of those assumptions are still load-bearing.

The other quieter line in the GTIG report deserves a separate post, and probably gets one. TeamPCP — the same cluster behind the npm/Checkmarx Shai-Hulud campaign — is now compromising AI-development environments themselves, which extends the software-supply-chain problem from “what your build pipeline trusts” to “what your model-augmented developer trusts.” That’s not a 2026 problem. It’s a 2026 problem with a 2030 tail.