Google caught the first AI-built zero-day in the wild — and quietly patched it before the 'mass exploitation' could start

Here's the deal: the first AI-built zero-day in a real campaign just got caught

On May 11, Google's Threat Intelligence Group (GTIG) published a report we've never seen before. The headline in one line: a criminal actor used an AI model to discover a zero-day vulnerability and auto-generated working exploit code on the spot, then started preparing a real campaign — and Google caught them before it went live. The target was a Python script inside a widely deployed open-source web admin tool. The bypassed protection was two-factor authentication (2FA). GTIG worked with the vendor to ship a quiet patch, and what the report calls a "mass exploitation event" was disrupted.

For years, the industry has said weaponized-AI cyber attacks were a "when, not if." This is the "when." GTIG chief analyst John Hultquist put it bluntly: "For every zero-day we can trace back to AI, there are probably more out there. Threat actors are using AI to boost the speed, scale, and sophistication of their attacks." Translation — this one case is the tip of an iceberg.

One critical detail. Google explicitly said neither Gemini nor Anthropic's Mythos was involved. The report instead points to a model dubbed "OpenClaw" and notes "machine-authored artifacts" in the exploit code. Read between the lines — the safety guardrails on US/EU big-lab models held. The threat is moving to lightly-aligned, weights-released open models that anyone can fine-tune for offensive tasks.

The cast — GTIG, an unnamed crime crew, OpenClaw, and the vendor that patched

Google Threat Intelligence Group (GTIG). Stood up in 2024 when Google merged Mandiant with its in-house threat intel teams. It pulls signal from Google Cloud, VirusTotal, Chronicle, and Mandiant, and is now arguably the largest single source of telemetry on global threat actors. The lead author of this report is John Hultquist — ex-NATO and US DoD cyber advisor, one of the most cited analysts in the industry.

The criminal actor. GTIG didn't name them. The report flags (1) a financially motivated profile, (2) infrastructure consistent with an Eastern European / Russian-speaking crew, and (3) TTPs that overlap with prior ransomware-as-a-service campaigns. So this isn't a state APT — it's a regular cyber-crime crew with much lower barriers to entry. That's the scariest part. State actors using AI was expected. Cyber-crime crews getting the same toolkit means the threat surface just multiplied by orders of magnitude.

OpenClaw (alleged model). Not an officially announced model. Security researchers have been tracking it as a "lightly-aligned, weights-released" LLM, most likely a fine-tune of a publicly available base (Llama, Mistral, or Qwen) tuned for offensive security tasks. GTIG didn't name the model directly but said the "code generation patterns, comment style, and naming conventions" matched OpenClaw-family outputs.

The patched vendor. Per responsible disclosure, GTIG didn't name the tool yet. The report only describes the category — "open-source web-based system management tool." Industry analysts are betting on phpMyAdmin, Webmin, or Cockpit Project. The patch shipped quietly before May 11; the user advisory was framed as a routine security update.

Anthropic, Google, OpenAI (bystanders). "Gemini and Anthropic Mythos were not used." That single sentence is implicit endorsement: big-lab safety guardrails worked here. The structural problem the report exposes is that those guardrails don't extend to the broader open-weights ecosystem.

The new bits — and what's just faster, not different

What's new. First, vulnerability discovery and exploit authoring collapsed into a single LLM step. Historically, zero-day pipelines split into discovery → exploit dev → weaponization → distribution, often across different people. Here, one model did the first three. That compresses time from weeks to days for amateur-tier actors.

Second, "machine-authored artifacts" is now a forensic signal. The exploit code carried the LLM's tells — variable naming patterns, comment style, redundant boilerplate. That gave GTIG enough confidence to attribute "AI-generated." Going forward, attribution analysts will look for these tells, and crews wanting to evade them will need to add expensive human-in-the-loop scrubbing — which raises the cost back up.

Third, the target was 2FA bypass. 2FA has been the most effective mainstream defense for the last decade. The fact that an LLM could surface a 2FA-bypass primitive automatically in an admin tool means the same workflow applies to any SaaS, identity, or SSO product written in similar patterns.

What's not new. GTIG also asked people not to overinterpret. The exploit pattern itself — privilege bypass plus a Python code injection chain — isn't a new species. A skilled human researcher could have found it. AI didn't invent the bug; it scaled the rate at which bugs like it can be discovered. The right framing: not "AI invented hacking," but "AI built an exploit factory."

Item	Detail
Disclosure date	2026-05-11
Affected category	Open-source web admin tool
Bypassed defense	Two-factor authentication (2FA)
Suspected model	OpenClaw family (open-weights LLM)
Suspected actor	Eastern European cyber-crime crew
Patch status	Shipped quietly pre-5/11
Campaign status	Disrupted before live
Big-lab models (Gemini/Mythos)	Confirmed not used

Who wins, who loses

Google. Big winner. First, threat-intel differentiation: GTIG broke the first "AI-weaponized" case before any peer. That feeds Google Cloud security revenue, the Mandiant brand, and policy influence in DC and Brussels. Second, Gemini differentiation: "our model wasn't used" is a marketing line that will appear in every safety scorecard for the next 12 months. Third, revenue: Google Cloud security is guided to $12B in 2026 — this case is the strongest piece of marketing collateral the unit could ask for.

Anthropic. "Mythos was not used" is implicit validation. Mythos shipped in April with a deliberate split: it can find vulnerabilities but refuses to write exploit code. This report externally validates that boundary. The bigger Anthropic question is policy — how do you regulate the open-weights ecosystem when the bad outputs come from someone else's fine-tune?

Open-source LLM camp (Llama, Mistral, Qwen). Biggest political loser. Meta, Mistral, and Alibaba have been the loudest voices for open-weights releases. The OpenClaw case will be Exhibit A in every upcoming regulatory debate framing "open-weights = cyber weapon proliferation." Particularly painful with the EU AI Act enforcement powers triggering in August 2026 — this incident will directly shape how GPAI obligations get scoped.

Enterprise CISOs. Mixed. Good news: a real, named case unlocks budget. Bad news: patch windows just got shorter. The 30-day standard is dead — when AI can build an exploit in days from a CVE disclosure, the patch window has to compress to match. Demand for automated SBOM, component tracking, and zero-touch patch systems is about to spike.

Security vendors (CrowdStrike, Wiz, Snyk, Mandiant). Revenue tailwind. AI-built exploits don't trigger pattern-based detection well, so behavioral analytics and LLM-aware detection become a new category. CrowdStrike's May 13 earnings call is a key tell — listen for AI-threat-detection revenue mentions.

End users. Short-term impact is limited, but long-term the bar for "security by default" in SaaS just moved up. The assumption "I have 2FA, I'm safe" is gone. Expect rapid passkey, hardware key, and continuous-risk-assessment rollouts across consumer SaaS.

Past patterns — what worked, what didn't

Pattern 1: Log4Shell (2021). A single open-source library vulnerability exposed roughly 30% of the public-facing web in days. The difference: humans found Log4Shell and automation followed. With OpenClaw, the LLM found patterns no human had publicly disclosed. The similarity: once it goes live, propagation speed is brutal. If GTIG hadn't pre-empted it, this could have been a Log4Shell-class incident.

Pattern 2: XZ Utils backdoor (2024). A two-year social-engineering operation to gain maintainer privileges and plant a backdoor. Patient social engineering vs. fast machine automation — the field is now squeezed from both sides.

Worked: Project Zero's own AI in 2024. Google Project Zero used internal AI to surface 0-days in SQLite, LibreOffice, and Chrome before adversaries. Defender AI ahead of attacker AI is possible, given big-lab resources and aligned models. Scaling that to solo open-source maintainers is the next 18 months' open problem.

Failed: EternalBlue → WannaCry (2017). NSA-developed Windows SMB exploit leaked, became WannaCry within a month, hit 300,000 machines. Microsoft had patched it in April. The lesson: patches alone don't help if rollout is slow. With OpenClaw, GTIG's quiet patch only matters if the long tail of unpatched instances on the public internet shrinks fast.

Counter-plays — how the rest will respond

Anthropic. Lean harder into Mythos's "find it, don't exploit it" stance. Push Constitutional Classifier extensions specifically tuned for offensive security scenarios and fine-tune resistance. Combined with the May 7 SpaceX Colossus 1 compute deal, expect Mythos capacity to scale and EU/US government channels to get priority access.

OpenAI. Announced GPT-5.5-Cyber with EU access on May 11 — same day as the GTIG report. Not a coincidence. OpenAI is positioning to not lose the cyber-security model market to Anthropic Mythos, locking in EU, US, and UK government channels first. OpenAI is staying quiet on direct comments about the case itself.

Google DeepMind. No standalone cyber SKU yet, but expect Gemini for Security to debut at Google I/O 2026 on May 19. GTIG's data plus Gemini = a credible bundle. Cloud revenue alignment makes a separate security SKU only a question of timing.

Open-source LLM camp (Meta, Mistral, Alibaba, Qwen). Hardest position. Need to (1) preserve open-weights releases while researching fine-tune-resistant guardrails, (2) publicly score well on cybersecurity safety evals, and (3) keep the "open-weights = lifeblood of academia and SMBs" narrative alive in policy debates. As of May 13, Meta's only comment was "we are unaffiliated with the OpenClaw model"; Mistral and Alibaba are silent.

Security vendor counter. CrowdStrike Falcon is splitting LLM exploit-pattern detection into a separate module; Wiz is teasing an "AI-built exploit signature" database; Snyk is adding LLM-variant detection to dependency scanning. A new category — AI-Threat Detection — is plausibly a separate analyst-coverage line within 12 months.

So what changes — by persona

CISOs and security leaders. First, patch windows compress to 7–14 days as standard. Second, accelerate passkey + hardware-key migration off SMS/TOTP 2FA. Third, budget a "red-team automation" line for LLM-based code review of your own codebase. The 2026 security budget will likely carve out a separate line for "AI threat detection."

Open-source maintainers. Solo-maintainer projects are most exposed. (1) Lean on GitHub's automated SBOM and CVE alerts; (2) request free licenses to LLM-aware code-audit tools (CodeQL, SonarQube AI variants); (3) adopt Sigstore/SLSA supply-chain standards.

Enterprise dev teams. Validate AI-coding-assistant output more aggressively. Add OWASP Top 10 + LLM Top 10 (the LLM-specific threat list) checks to PR gates. Automate dependency patching — turn on Dependabot/Renovate "auto-merge security patch" mode.

Founders and startups. "Security certification" becomes a sales asset. SOC2 Type II + ISO 27001 + the forthcoming "AI Threat Resilience" cert (no formal standard yet, but expected within 12 months) is a differentiator in enterprise deals. Don't ship products built directly on raw open-weights LLMs — pair with an aligned big-lab model and your own guardrails.

Investors. Re-rate cybersecurity multiples. CrowdStrike, Wiz, Snyk, Palo Alto Networks — listen for AI-threat-detection revenue contribution in Q2 calls. Expect new funding rounds in AI-threat-intel startups (Ox Security, Apex Security, Lakera).

Regulators. Most consequential decision: how the EU AI Act, due to start enforcement in August 2026, scopes GPAI obligations for open-weights models. CISA and NIST in the US are likely to publish "AI threat detection" standards within 12 months. Korea's MSIT and KISA expect to release a first-pass "AI cybersecurity guideline" in H2 2026.

End users. Concrete actions: (1) password manager + passkeys turned on, (2) migrate every SaaS account to passkeys, (3) add a hardware key (YubiKey or equivalent) wherever possible. And — be more skeptical of "open source = automatically safe." That assumption no longer holds.

References

• CNBC: Google thwarts effort by hacker group to use AI for 'mass exploitation event'
• TechCrier: Google Uncovers First AI-Generated Zero-Day Exploit
• The Register: Google says criminals used AI-built zero-day in planned mass hack spree
• Google Cloud Threat Intelligence Group resources
• spoonai 2026-04-23: Anthropic Glasswing Mythos zero-days