In May 2026, the Google Threat Intelligence Group announced an unprecedented achievement: the blocking of the first zero-day exploit developed with the support of artificial intelligence. The attack was aimed at an open-source web administration tool, with the goal of bypassing two-factor authentication on a large scale.
Therefore, this episode marks a structural shift in the digital threat landscape. Cybercriminals are adopting language models to accelerate the writing of malicious code. However, the same AI tools are already being employed in defense. Google researchers identified the AI's footprint in the exploit by analyzing anomalies typical of LLMs: a hallucinated CVSS score and overly structured formatting.
In summary, Italian SMEs can no longer consider cybersecurity a topic reserved for large corporations. We at SHM Studio We constantly monitor the evolution of digital risk to support our client companies in building a secure and resilient online presence. Therefore, understanding this shift is the first step in adopting adequate countermeasures.
What has changed: AI enters the offensive arsenal
Until a few months ago, the use of artificial intelligence in cybersecurity was mainly associated with defense. However, a report published by The Verge May 2026 overturned this perspective. Google Threat Intelligence Group (GTIG) stated that it had identified and neutralized the first zero-day exploit developed with the support of a large language model.
The exploit targeted an open-source web administration tool, not yet publicly identified. The objective was to bypass two-factor authentication in a mass exploitation event. In other words, it was an attack designed to simultaneously target a large number of vulnerable instances.
Therefore, this episode is not an isolated case to be quickly filed away. On the contrary, it represents a signal of discontinuity that deserves in-depth analysis, particularly for Italian SMEs managing exposed web infrastructure.
How researchers recognized the AI's signature
The GTIG team identified the AI footprint through analysis of the Python script used for the exploit. In fact, two elements caught the analysts' attention.
- A hallucinated CVSS score: the vulnerability severity score was incorrectly generated, with apparent but substantially fabricated precision. This behavior is typical of LLMs when operating on unverified technical data.
- Textbook formatting: The code and comment structure was excessively orderly, consistent with the output patterns of language models trained on standardized technical documentation.
So, AI didn't write the exploit autonomously. Instead, it accelerated and structured the work of already competent criminal actors. This distinction is relevant: it lowers the entry barrier for those who want to conduct sophisticated attacks.
Additionally, as highlighted by MIT Technology Review, the democratization of AI tools is reducing the technical gap between expert cybercriminals and less skilled actors.
The immediate impact on the digital threat landscape
This episode has direct implications on three levels. First of all, it changes the speed at which exploits are produced. A malicious actor can now delegate the code prototyping phase to AI, reducing development time.
Subsequently, change the risk profile for open-source technologies. Web administration tools, CMSs, frameworks, and plugins are prime targets precisely because they are widely adopted. Consequently, a vulnerability exploited with AI can rapidly scale across thousands of installations.
Finally, change the defensive model as needed. Traditional solutions based on signatures and periodic updates are no longer sufficient. According to Gartner, global spending on cybersecurity is constantly growing, but the speed at which defenses adapt struggles to keep pace with the speed of attacks.
What to do now: the risk perimeter of Italian SMEs
Italian SMEs often operate with limited IT resources. However, this does not make them secondary targets. On the contrary, their lower response capacity makes them attractive targets for automated and scalable attacks.
In particular, companies using open-source tools for site management, CRM, or e-commerce should consider some priority actions.
- Software dependency audit: Verify which open-source tools are active in the infrastructure and if they are updated to the latest stable version.
- Authentication Strategy Review The exploit in question aimed to bypass 2FA. Therefore, it is advisable to consider more robust authentication solutions, such as hardware tokens or passwordless systems.
- Continuous monitoring Implement threat monitoring tools that analyze anomalous behavior in real-time, not just at scheduled intervals.
- Staff training: Many attacks begin with human error. Therefore, updating the team's awareness of new threat types is a low-cost, high-impact measure.
We of SHM Studio we support SMEs in building secure digital architectures, starting from
Related articles
Discover other articles that explore similar topics in depth, selected to give you a more complete and stimulating view. Each piece of content is carefully chosen to enrich your experience.
