Google says it has seen something security teams have worried about for years: criminal hackers apparently using artificial intelligence to discover and weaponize an unknown software flaw.
In research published Monday, Google’s Threat Intelligence Group said it had “high confidence” that a “prominent cybercrime” likely leveraged an A.I. model to help find and exploit a zero-day vulnerability, an undisclosed security hole unknown to the software vendor at the time. Google described the attempted attack as a first known case of its kind, and analysts warned it may be an early sign of a broader shift in how cyberattacks are built.
What Google Says Happened
Google’s report describes a thwarted effort to exploit a vulnerability in a popular open-source, web-based system administration tool. The exploit code was written in Python and, if successful, could have enabled attackers to bypass two-factor authentication. Google noted the attack still would have required valid credentials such as user names and passwords, limiting its usefulness without additional access.
Google did not name the affected administration tool, the hacking group, or the A.I. platform it believes was used. It added that it did not think the model was its own Gemini. Google also withheld timing and targeting details, but said it notified the software maker quickly enough for a patch to be released before the attack could cause damage.
Why Researchers Believe A.I. Was Involved
Attributing code to A.I. is notoriously difficult. As Rob Joyce, former cybersecurity director at the National Security Agency, put it: A.I.-authored code “does not announce itself.”
Still, Google and outside reviewers pointed to clues that looked like the kind of output produced by a model rather than a careful human operator. These included unusually verbose “explainer” text and other oddities that experienced coders typically remove. Google also said it had additional indicators supporting its assessment, but declined to share them publicly.
John Hultquist, chief analyst at Google’s Threat Intelligence Group, called the incident “a taste of what’s to come,” arguing it may be “the tip of the iceberg” rather than a one-off anomaly.
The Bigger Risk: Zero-Days at Machine Speed
Zero-day vulnerabilities have historically been scarce, expensive, and strategically valuable, sometimes selling for seven figures in gray and black markets. The fear now is volume: advanced models may make the discovery of exploitable bugs cheaper and faster, and may also lower the skill barrier for criminals.
The timing of Google’s report lands amid widening debate over how to release and govern more capable A.I. systems, particularly as governments weigh controls aimed at limiting misuse. It also arrives alongside industry claims that some new models can identify large numbers of previously unknown vulnerabilities across major operating systems and browsers, intensifying pressure on defenders to patch faster than attackers can adapt.
Conclusion
Google’s report suggests the industry is entering a new phase: defenders may face attacks shaped by A.I. not just for phishing or reconnaissance, but for finding the bugs themselves. That pushes security teams toward shorter patch cycles, more aggressive code auditing, and stronger credential protections so that even bypass techniques have less to work with.
Over time, A.I. could improve software quality by helping teams write and review safer code. For now, the immediate takeaway is practical and sobering: the internet is built on decades of imperfect code, and attackers may now have better tools to find the cracks first.
Read More!
