ACCORDING to Google Threat Intelligence Group (GTIG) in a report shared with The Hacker News, an unknown threat actor likely developed a zero‑day exploit with an artificial intelligence system to enable a mass vulnerability exploitation operation, marking the first such use in the wild for vulnerability discovery and exploit generation.
Google disclosed that the activity involved a zero‑day vulnerability implemented in a Python script that enables bypassing two‑factor authentication on a popular open‑source, web‑based system administration tool, with GTIG noting the threat actors appear to have collaborated to plan the operation.
The tool’s name was not disclosed, and GTIG said it did not find evidence that Google's Gemini AI was used, though it assessed with high confidence that an AI model was weaponised to discover and weaponise the flaw, citing features typical of LLM‑generated code such as an abundance of educational docstrings and a structured Pythonic format.
The researchers highlighted that the bypass requires valid user credentials for exploitation and results from a high‑level semantic logic flaw arising from a hard‑coded trust assumption. Google said it worked with the impacted vendor to disclose the flaw responsibly and disrupt the activity.