Google has disclosed one of the most alarming cybersecurity developments of the year, confirming that its Threat Intelligence Group intercepted and likely prevented the first recorded use of an AI-generated zero-day exploit in a planned mass cyberattack. The incident marks a significant escalation in the ongoing arms race between cybersecurity defenders and criminal hackers.

Google's Threat Intelligence Group stated in a report published on 12 May 2026 that it has "high confidence" that a criminal threat actor used an artificial intelligence model to discover and weaponise a previously unknown software vulnerability, specifically a zero-day flaw in a Python script that enables users to bypass two-factor authentication on a widely used open-source web-based system administration tool.


What Happened

The threat actor identified the vulnerability using AI and developed an exploit to take advantage of it, with the intention of deploying it in what Google described as a "mass exploitation event." The attack was intercepted before it could be executed. Upon discovering the zero-day, Google's team worked with the affected vendor to responsibly disclose the vulnerability and disrupt the threat activity before widespread damage could occur.

Google clarified that its own Gemini AI model was not used by the attackers. The tool employed was identified as OpenClaw, an AI model available in cybercrime circles.

Why This Matters

Zero-day vulnerabilities are software flaws unknown to the developer at the time of exploitation, meaning there is no patch available and defenders have no warning. Historically, discovering and weaponising such vulnerabilities has required significant technical expertise and time. The use of AI to automate that process fundamentally changes the threat landscape.

John Hultquist, chief analyst at Google Threat Intelligence Group, described the findings as likely representing only the "tip of the iceberg" in terms of how criminals and state-sponsored actors are integrating AI into their offensive operations. As AI coding capabilities advance, the barrier to launching sophisticated cyberattacks is dropping sharply, compressing the time between vulnerability discovery and exploitation in ways that existing security frameworks were not designed to handle.

For organisations across Africa and globally that rely on open-source tools and two-factor authentication as a primary security layer, the incident is a stark reminder that no defence is permanent and that the threat intelligence landscape is evolving faster than ever before.