On May 11, 2026, Google Threat Intelligence Group published a report that did something quieter than the headlines made it sound. It did not announce that AI had written malware. AI has been writing malware for two years. It announced that AI had found something nobody knew was broken, and that the people preparing to weaponize it got caught because the model wrote like a student.
The target was a popular open-source web-based system administration tool, unnamed in Google's primary blog. A Python flaw in that tool could let an attacker pass the two-factor login check with valid credentials. Multiple cybercrime groups were partnering on a mass exploitation campaign. Google notified the vendor, a patch shipped, and the operation was disrupted before it scaled.
That is the best outcome inside a single incident. It is also the part of the story that ages fastest.
How researchers recognized the code
Stylometry gave the exploit away. Google's analysts noted educational docstrings inside the script, a hallucinated CVSS score, and structured, textbook Pythonic format. None of those details belong in a tool designed to be deployed quietly against a production server. They belong in a tutorial.
Google's primary blog says the patterns were characteristic of language model training data. The company explicitly ruled out Gemini. The Register reports it also ruled out Anthropic's Mythos. The takeaway is not that a particular AI was implicated. The takeaway is that the artifact was identifiable as machine-written without anyone needing to prove provenance.
That identification is stylometric, not forensic. It tells you something was probably written by an LLM. It does not tell you which one, where, or when.
What is new here, and what is not
Defensive AI has been finding unknown vulnerabilities for over a year. In October 2024, Google Project Zero's Big Sleep agent reported the first real-world zero-day discovered by an LLM, a memory-safety flaw in SQLite. XBOW, an autonomous penetration-testing startup, submitted close to 1,060 vulnerabilities to HackerOne in 2025 and briefly topped its US leaderboard. The infrastructure for AI to surface novel flaws already exists on the defender's side.
What is new in Google's May 11 report is that an attacker got there first. The flaw was unknown, the campaign was already being organized, and the artifact was an LLM-shaped fingerprint on the wrong side of the line. That is the threshold this story actually crosses. Not "AI can write code." Not "AI can find bugs." It is that AI helped attackers find a flaw before the vendor knew about it, and the patch shipped after the criminals had it.
The pattern other vendors are seeing
Google's report is the first incident report of its specific kind, but the shape has been visible for a while. The same May 11 blog notes that North Korea's APT45 is feeding LLMs thousands of repetitive prompts to validate proof-of-concept exploits against catalogued CVEs. That is a different motion: using AI to verify known flaws rather than discover new ones. It still moves the attacker's timeline.
In November 2025, Anthropic separately disclosed an intrusion campaign it attributed to a Chinese state-sponsored group it called GTG-1002, which it said executed an attack "without substantial human intervention." That framing was promptly contested by independent security researchers and reporters, partly because Anthropic published no indicators of compromise. Anthropic's separate Mythos model, hyped earlier in 2026 as capable of finding thousands of zero-days, also softened on closer reading. The proof Anthropic has put forward so far is not as load-bearing as the framing suggests.
The relevant point is not that any single vendor's narrative is bulletproof. It is that several vendors, working from different evidence pools, are describing the same category of behavior. The category is real. The body count is still uncertain.
The forensic trail will not always be there
John Hultquist, chief analyst at Google Threat Intelligence Group, told Axios the part of this report that should worry the industry most: "For every zero-day we can trace back to AI, there are probably many more out there."
He is not making a metaphysical point. He is making an investigative one. The reason Google caught this code is that the model that wrote it wrote it badly. The docstrings were too helpful. The severity field was made up. The formatting looked like a Stack Overflow answer. None of those tells are intrinsic to AI-generated code. They are tells of a particular generation of models writing without careful prompting.
The next AI-developed exploit might pass through one extra round of human cleanup before it ships. Or it might be written by a model trained to suppress those exact patterns. The fingerprint Google read this week is the fingerprint of an attacker who was not trying very hard to hide.
Why it matters
For two decades, the cybersecurity industry's hardest job has been patching what is known. The new hardest job is identifying what is not.
A patched zero-day is, in a sense, a solved zero-day. The unsolved problem this report opens is different: when a flaw is discovered, defenders have to decide whether to assume a human found it or a model did. Those two assumptions have different implications for how many similar flaws exist, how quickly the attacker can iterate, and whether the discovery method itself is scaling. Treating every newly disclosed vulnerability as if it might be the output of an unattended process changes resource allocation, threat modeling, and the timeline on which a patch must ship.
The defensive AI infrastructure that finds these flaws already exists. So does the offensive one. The asymmetry, for now, is who reads the discovery first before disclosure forces the question.
If the way Google identified this attack is that the AI wrote conspicuously, what happens the first time it does not?
Originally published as an Instagram carousel on @recul.ai.