vibe-coding zero-day security ai-exploits 2fa

Hackers Used AI to Build a Zero-Day and Google Caught Them

The Line Just Got Crossed

We’ve been talking about this for years. Could AI write actual exploits? Not toy demos, not CTF puzzles — real zero-days aimed at real systems. On May 11, Google’s Threat Intelligence Group answered that question with a flat yes.

GTIG identified a criminal threat actor using an AI-generated zero-day exploit designed to bypass two-factor authentication in a widely deployed open-source web admin tool. Not a proof of concept. Not a research paper. A weapon, built for mass exploitation.

What the Exploit Actually Does

The target was a logic flaw in an authentication flow — the kind of bug that exists because some developer hard-coded a trust exception into the 2FA check. The AI-generated Python script exploited that gap to sidestep two-factor entirely, giving attackers full access to admin panels that were supposed to be locked down.

GTIG researchers flagged it because the code had all the hallmarks of AI output. Clean ANSI color classes. Organized educational prompts. A fabricated CVSS severity score baked right into the script. Detailed help menus that no criminal hacker would bother writing by hand. The code was polished in a way that screamed “generated, not written.”

Why This Matters More Than You Think

This isn’t about one exploit. This is about velocity.

Before AI, finding a zero-day meant weeks or months of manual reverse engineering, fuzzing, and code review. Now a threat actor can point an LLM at a codebase and ask it to find authentication bypasses. The exploit Google caught was targeting a single tool. APT45 — a North Korean crew — was already using AI to churn through thousands of exploit checks in bulk. Chinese state-linked operators were running automated probing campaigns powered by AI systems.

The barrier to entry for zero-day development just collapsed. You don’t need a team of elite hackers anymore. You need a subscription and a prompt.

The Vibe Coding Connection

Here’s the part nobody wants to say out loud: the same AI tools that vibe coders use to ship apps in a weekend are the same tools criminals are using to find and exploit vulnerabilities in those apps.

Georgia Tech’s Vibe Security Radar tracked 35 CVEs in a single month directly attributable to AI coding tools. Veracode found that 45% of AI-generated code samples introduce OWASP Top 10 vulnerabilities. So you’ve got one side of the market using AI to mass-produce vulnerable code, and the other side using AI to mass-produce exploits for that code.

It’s a perfect feedback loop of insecurity, and we built it ourselves.

Google Stopped This One. Who Stops the Next?

Credit where it’s due — GTIG caught this before the campaign could scale. They coordinated with the vendor, got the patch shipped quietly, and likely disrupted the operation before it hit critical mass.

But that’s one team catching one exploit. The economics here are brutal. Defenders have to catch every AI-generated exploit. Attackers only need one to land. And the cost of generating the next attempt just dropped to basically zero.

What You Should Actually Do

If you’re running self-hosted admin tools — and a lot of vibe-coded deployments are stitched together with exactly this kind of open-source tooling — go audit your 2FA implementation right now. Not the “do we have 2FA enabled” check. The “did someone hard-code a bypass or trust exception into the auth flow” check.

Because that’s what got exploited here. Not a missing feature. A shortcut someone took and forgot about. And now AI is very, very good at finding shortcuts.

The age of AI-generated exploits isn’t coming. It arrived on May 11, 2026, and it came with color-coded help menus.

← Back to all posts