Last week, the New York Times reported, and Google confirmed, that the company's threat intel teams caught what they describe as the first documented instance of criminal actors using a large language model to find a zero-day vulnerability and turn it into a working exploit. Google says it neutralized the attack. What it has not, as of this writing, publicly disclosed: which product was targeted, which model the attackers used, whether the AI in question was a frontier commercial model or an open-weights one, or how Google's own AI defense tools detected the activity. That's a lot of redactions for a "first."
The framing matters because it conveniently lands inside a market story. The same week, OpenAI launched Daybreak, a security-focused product pitched at exactly this problem, and Anthropic's competing Claude Mythos is reportedly already deployed by enterprises. Google has its own AI cyber-defense roadmap to sell. So when Google's threat team announces "criminals are now using AI, but don't worry, our AI caught them," it's worth asking whether we're reading a public-interest disclosure or a product-positioning artifact. Probably both. That doesn't make it false, as it simply makes it incomplete.
Zoom out and the trendline is harder to argue with. The Hacker News, citing Sonatype's 2026 State of the Software Supply Chain report, notes malicious packages in public repositories jumped from roughly 55,000 in 2022 to 454,600 in 2025, a near nine-fold rise. Mandiant's M-Trends 2026 found "time-to-exploit" has effectively gone negative: exploits now routinely appear before patches do, with VulnCheck reporting 28.3% of disclosed CVEs hit in the wild within 24 hours. CrowdStrike's global threat report logs a 35% jump in cloud intrusions. And Hoxhunt's 2025 phishing benchmark claims AI-generated phishing now outperforms human red teams. Several of those data points come from vendors with skin in the game, so treat the specific percentages as directional rather than gospel, but four independent sources pointing the same direction is a pattern.
Here's the question nobody in Big Tech wants to answer cleanly: if a 17-year-old in Osaka can scrape 7 million records to buy Pokémon cards (arrested December 2025), and a single actor with Claude Code can run an extortion campaign across 17 organizations in a month (Anthropic's own August 2025 disclosure), what does "first known criminal AI zero-day" actually mean?
-
Possibility one: Google really is seeing the leading edge, and the labs' safety filters held until now.
-
Possibility two, and the one I'd bet on: AI-assisted vulnerability discovery has been happening for months, undetected or unattributed, and Google is simply the first vendor with both the telemetry to catch it and the PR incentive to say so.
Either way, the "AI helps defenders more than attackers" thesis the labs have been selling since 2023 is, on current numbers, looking shaky.