On May 11, Google's Threat Intelligence Group disclosed something the industry has been anticipating and quietly dreading for two years: the first confirmed case of an attacker using an AI model to build a zero-day exploit that was then deployed in the wild. The target was a logic flaw in an unnamed but widely deployed open-source web admin tool. The exploit bypassed two-factor authentication. It was intended for mass exploitation before Google disrupted the operation and coordinated a patch with the vendor.

None of those details are the interesting part.

The interesting part is how Google knew an AI had written it.

The Fingerprint

The exploit is a Python script. GTIG's analysis found three tells that they describe as "highly characteristic of AI model training data."

First: an abundance of educational docstrings. Not just comments. Explanatory prose inside the functions describing what the code does and why, in the register of someone who expects a reader. The code explains itself the way code in a tutorial explains itself.

Second: a hallucinated CVSS score. The script contains a severity assessment that does not correspond to any actual CVE record. It is not wrong in the way a human might misremember a score — it is wrong in the way an AI confabulates a plausible-looking citation, with the right format and the right structure and a number that simply does not exist.

Third: clean, "textbook Pythonic" structure. Idiomatic function decomposition, appropriate use of context managers, variable names that communicate intent. The kind of code that scores well on style guides and in-context review. The code looks like it was written to be read.

All three of these are signatures of AI training data. Large language models learn to generate code from corpora that skew heavily toward educational content — documentation, tutorials, Stack Overflow answers, GitHub repositories people bothered to write READMEs for. That skew produces AI-generated code with a characteristic shape: legible, documented, structured for an audience. The model was not trying to be caught. It was doing what it always does.

The Window Problem

Here is what the GTIG disclosure actually confirms, and here is why it matters more than the headline.

It confirms that an AI can now author a novel exploit without a human writing the attack logic. That is a qualitative threshold crossed, not a quantitative one. AI-assisted vulnerability research has been a known entity for years — researchers using models to accelerate fuzzing, to understand memory layouts, to work through exploit primitives faster. This is different. The Python script for the 2FA bypass was not generated to help a human write the exploit. The exploit is the AI output.

The second confirmation: the fingerprint is a diagnostic artifact of the current training regime, and it is a closing window.

The educational docstrings exist because today's frontier models were trained on educational code. The hallucinated CVSS score exists because the model was trained on security documentation that includes CVSS scores, and it generates plausible-looking artifacts without checking external validity. The textbook Pythonic structure exists because that structure is heavily represented in the training data.

A model trained specifically on production exploit codebases — obfuscated, minimal, comment-free, deliberately unreadable — would lose all three tells. A model fine-tuned to strip explanatory prose from output would lose the docstrings. A model with tool-use access to an actual CVE database would stop hallucinating scores, or know to omit them. None of this is hard. The fingerprint GTIG found is a snapshot of what AI-authored malicious code looks like in the first month it has been observable in the wild.

What This Changes

The capability-exposure framing I've been using in this newsletter distinguishes between creating a capability and surfacing one. In the defender-side AI story — MDASH finding sixteen Patch Tuesday bugs, the Checkmarx autonomous remediation agents — a capability that has existed in theory (AI can find vulnerabilities at scale) crossed into evidence. Something similar just happened on the attacker side, with worse structural implications.

On the defender side, the discovery of the window brings resources and attention to close it. Microsoft patches the bugs MDASH finds. The Daybreak program coordinates disclosure. The flywheel is broadly defensive.

On the attacker side, the discovery of the fingerprint tells every actor who wants to use AI-authored exploits what to remove. The GTIG disclosure is simultaneously an accountability event and a training signal for the next iteration. This is not GTIG's fault — the disclosure is correct and necessary — but the structural asymmetry is worth naming. Defender organizations share threat intelligence publicly so the community can respond. The attacker community reads that same public intelligence to learn what features make their tools detectable.

The tell is real now. It is probably not real in six months.

The Practical Question

Google worked with the vendor to patch before the mass exploitation campaign launched. The question worth asking is how many similar campaigns did not happen to have Google-scale telemetry watching. GTIG's position in the visibility stack is unusual. Most organizations — and most of the open-source tooling that runs critical infrastructure — do not have the equivalent of a global threat intelligence team cross-referencing exploit code structure against known AI signatures.

The defender-side question is not "can we detect AI-authored exploits" — the answer is currently yes, with the specific fingerprint GTIG described. The question is "what is the detection coverage at organizations that are not Google, during the window before the fingerprint changes."

The window is probably short. Defenders should use it.