QCNEWS
The First AI-Built Zero-Day Left a Smoking Gun: Its Own Code
Generative models write code in clusters of similar style. That consistency is what gave away the first zero day believed to be developed with AI.
Generative models write code in clusters of similar style. That consistency is what gave away the first zero day believed to be developed with AI.
An exploit that Google attributes to AI-assisted development appears to have been stopped before it could power a planned mass-hack spree, and what gave it away was the code itself, which read like it was written by a machine. Google's Threat Intelligence Group has identified what it calls the first zero-day believed to be developed with generative AI help, found during a planned mass-exploitation event targeting multiple victims and disrupted by proactive counter-discovery rather than post-incident response.
The forensic detail is where the story earns its keep. The "smoking gun" is not a metaphor. AI-generated code carries stylistic and structural patterns that rarely appear in hand-written exploits: comment styles, variable naming, function scaffolding, and even debug-style artifacts that reflect a model's training distribution. A defender who knows those patterns can read them the way a literary scholar reads a ghostwritten novel, not by catching the writer in the act but by matching the prose to the corpus it came from.
That mechanism is the load-bearing claim. The same capability that scales the attack also scales to attribution, because generative models are consistent in ways human developers are not. A seasoned exploit author refactors and personalizes a toolset over months or years. A model produces output in clusters of similar style, because the same weights generate it. The consistency is the tell. The capability that industrialized the exploit is the same capability that lets an analyst cluster it back to a generative origin.
The discovery is attributed to Google's Threat Intelligence Group, using combined Mandiant incident response, Gemini telemetry, and proactive research. GTIG's post uses careful language, saying the team "believes" the exploit was developed with AI and resting the case on code-pattern analysis rather than a captured prompt. That hedge matters. So does the underlying fact that the signals were strong enough for a major threat intelligence team to publish a public attribution on them in a post that also documents disruption of the planned campaign.
Three independent outlets reported the same headline finding the same day, confirming scope and framing: Cybersecurity Dive, The Register, and Bloomberg. None of them extracted the code-level forensic detail that makes this more than a scary AI brief. That detail is what converts a threat report into a usable story for defenders.
The finding extends GTIG's February 2026 work on AI-enabled threat activity, which already tracked adversary experimentation with large models, into exploit development itself. The criminal actor in this case is one entry in a much longer list. The same report documents PRC and DPRK interest in AI for vulnerability discovery, Russia-nexus polymorphic malware and obfuscation networks, and autonomous operations like PROMPTSPY, in which models interpret system state and generate commands at runtime. AI is industrializing adversary workflows across multiple axes at once. The criminal zero-day is the headline; the rest of the report is the trend.
The constructive frame does not soften that trend. It just refuses to let the story end in helplessness. AI is now both an engine an attacker can rent and a forensic signal a defender can read. That dual role is new. The threat intelligence discipline built up around it is younger. A defender who can identify AI-assisted code in the wild has a new primitive to build on: model-specific detection rules, cluster analysis across campaigns, and a faster path from "exploit in the wild" to "actor attribution."
What to watch next is whether other vendors and CERT teams publish independent corroboration of the same forensic pattern, and whether "AI-generated code" turns into a standardized detection category the way malware family signatures did a decade ago. The first public case often looks like an outlier. The second and third cases are usually when a category is born.