AI-Developed Zero-Day 2FA Bypass: A New Frontier in Cyber Exploitation
The cybersecurity landscape has recently witnessed a significant development: the first documented instance of a zero-day exploit likely developed with artificial intelligence (AI) being used for mass exploitation in the wild. This event, disclosed by Google, marks a shift in how vulnerabilities are discovered and weaponized. The incident involves a sophisticated two-factor authentication (2FA) bypass, underscoring the pressing need for advanced cyber threat intelligence platform capabilities and proactive breach detection strategies.
This pivotal event coincides with a series of other critical cybersecurity incidents, including a actively exploited critical firewall vulnerability, a Linux kernel zero-day with widespread impact, a pervasive supply chain attack campaign, and a long-undetected breach at a UK water utility. These diverse threats collectively illustrate the complex challenges faced by organizations today, requiring both technical understanding and strategic planning to mitigate risks. Understanding these events is crucial for maintaining security postures and adapting to attacker methodologies.
AI-Developed Zero-Day 2FA Bypass: A New Era of Exploitation
Google disclosed on May 11, 2026, that it identified an unknown threat actor utilizing a zero-day exploit believed to have been developed with an artificial intelligence system. This marks the first confirmed use of AI in the wild for malicious vulnerability discovery and exploit generation. The activity is attributed to cybercrime threat actors engaged in what Google described as a "mass vulnerability exploitation operation."
The exploit leverages a zero-day vulnerability implemented in a Python script that enables a user to bypass two-factor authentication (2FA) on an unnamed popular open-source, web-based system administration tool. Google's Threat Intelligence Group (GTIG) assessed with high confidence that an AI model was instrumental in the flaw's discovery and weaponization. The Python script exhibited characteristics common to large language model (LLM)-generated code, such as educational docstrings, a hallucinated CVSS score, and a structured, textbook Pythonic format, indicative of LLM training data.
The vulnerability itself is a 2FA bypass that requires valid user credentials for exploitation. It stems from a high-level semantic logic flaw arising from a hard-coded trust assumption, a type of issue that LLMs excel at identifying. This development demonstrates how AI is accelerating vulnerability discovery, reducing the effort needed to identify, validate, and weaponize flaws. For more insight into AI's role in uncovering zero-day vulnerabilities, see our analysis on AI Cybersecurity Threats. This shift necessitates that defenders adjust their strategies to account for compressed timelines in attack cycles, as highlighted by industry experts. Further discussions on AI security risks, active exploitation, and zero-day vulnerabilities are available in our blog on Cybersecurity Vulnerability Exploits.
What AI-Powered Malware is Active in the Wild?
Beyond vulnerability discovery, AI is facilitating the development of advanced malware and autonomous operations. One notable example is PromptSpy, an Android malware observed abusing Google's Gemini AI to analyze screen content and provide instructions for pinning malicious applications. This malware features a sophisticated autonomous agent module capable of navigating the Android user interface, monitoring real-time user activity, and interpreting data to determine its next actions.
PromptSpy can capture victim biometric data to replay authentication gestures, such as lock screen PINs or patterns, to regain access to compromised devices. It also incorporates an "AppProtectionDetector" module to prevent uninstallation by overlaying an invisible barrier over the "Uninstall" button, making it unresponsive. The malware is designed for high operational resilience, allowing adversaries to dynamically update its command-and-control (C2) infrastructure, including Gemini API keys and the VNC relay server, without redeploying the payload. Google has taken action to disable assets related to this malicious activity, and no apps containing PromptSpy have been found on the Play Store.
Google has documented other instances of AI abuse by threat actors:
- A suspected China-nexus cyber espionage group, UNC2814, prompted Gemini to act as a network security expert, facilitating persona-driven jailbreaking and vulnerability research on embedded devices like TP-Link firmware and Odette File Transfer Protocol (OFTP) implementations.
- The North Korean threat actor APT45 (also known as Andariel and Onyx Sleet) sent thousands of repetitive prompts to Gemini, recursively analyzing CVEs and validating proof-of-concept exploits.
- Chinese hacking group APT27 leveraged Gemini to accelerate the development of a fleet management application, likely intended to manage an operational relay box (ORB) network.
- Russia-nexus intrusion activity against Ukrainian organizations involved AI-enabled malware called CANFAIL and LONGSTREAM, which used LLM-generated decoy code to hide malicious functionality.
Threat actors are also experimenting with specialized tools like the wooyun-legacy GitHub repository, designed as a Claude code skill plugin. This repository contains over 5,000 real-world vulnerability cases collected from the Chinese vulnerability disclosure platform WooYun between 2010 and 2016. By priming the model with this data, it facilitates in-context learning, enabling it to approach code analysis more effectively for identifying logic flaws.
Agentic tools such as Hexstrike AI and Strix have been deployed by a suspected China-aligned threat actor against a Japanese technology firm and a major East Asian cybersecurity platform. These tools enable automated discovery with minimal human oversight. Google has also observed information operations (IO) actors from Russia, Iran, China, and Saudi Arabia using AI for routine tasks such as research, content creation, and localization. China-affiliated threat activity from UNC6201 involved automated registration and immediate cancellation of premium LLM accounts, a method to procure high-tier AI capabilities at scale while insulating malicious activity from account bans.
Further China-linked activity from UNC5673 (also known as TEMP.Hex) has leveraged publicly available commercial tools and GitHub projects for scalable LLM abuse. This activity occurs amidst a grey market of API relay platforms in China, advertised on online marketplaces like Taobao and Xianyu, which allow local developers to illicitly access Anthropic Claude and Gemini via proxy servers outside mainland China. Research from the CISPA Helmholtz Center for Information Security in March 2026 identified 17 such shadow APIs, revealing risks of model substitution and diminished accuracy on high-risk benchmarks. These proxy services also pose data capture risks, providing operators with data that could be used for fine-tuning models or illicit knowledge distillation.
AI environments themselves have become targets, as demonstrated by TeamPCP (also known as UNC6780) attacking AI systems. This introduces software supply-chain risk monitoring vulnerabilities and allows attackers to identify, collect, and exfiltrate sensitive information or perform reconnaissance within compromised networks.
Critical Firewall Vulnerability: Unauthenticated Root Access in PAN-OS
Palo Alto Networks recently disclosed a critical security vulnerability, CVE-2026-0300, affecting its PAN-OS firewall software. This buffer overflow flaw (CWE-787) resides within the User-ID Authentication Portal, also known as the Captive Portal service. With a CVSS 4.0 score of Critical, it permits unauthenticated remote attackers to execute arbitrary code with full root-level privileges. Exploitation requires no credentials, no user interaction, and no complex attack conditions.
Palo Alto Networks has confirmed active exploitation of this vulnerability in the wild, escalating the urgency for remediation. The flaw primarily affects internet-facing or untrusted-network-accessible Authentication Portal instances running vulnerable PAN-OS versions across both PA-Series and VM-Series firewalls. Impacted versions include multiple releases across PAN-OS 10.2, 11.1, 11.2, and 12.1 branches. Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The risk is particularly high when the Authentication Portal is exposed directly to the public internet, where the attack vector is network-based and highly automatable.
Successful exploitation grants complete administrative control over the targeted firewall. This access enables post-compromise activities such as traffic interception, credential harvesting, configuration manipulation, lateral movement, and broader network compromise. Compromising enterprise firewalls provides adversaries with a strategic foothold for surveillance, persistence, and infrastructure takeover. Palo Alto Networks scheduled security patches for release between May 13 and May 28, 2026.
To mitigate risk, organizations are advised to immediately restrict Authentication Portal access to trusted internal IP addresses or disable the feature if not operationally essential. For customers with licensed Threat Prevention, a protection signature released on May 5, 2026, offers an additional detection and blocking layer for PAN-OS 11.1 and later. Security teams must audit firewall configurations via Device > User Identification > Authentication Portal Settings to identify exposure. Any externally accessible Authentication Portal should be considered a high-priority emergency remediation case.
How are Linux Systems Targeted by Zero-Day Exploits?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the critical Linux kernel zero-day vulnerability CVE-2026-31431, known as "Copy Fail," to its Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation. This flaw carries a CVSS score of High and is categorized under CWE-699 (Incorrect Resource Transfer Between Spheres). It affects the algif_aead module within Linux's AF_ALG cryptographic subsystem, where a logic error in the authentication cryptographic template leads to improper memory handling during in-place cryptographic operations. Due to its active exploitation status, CISA mandated immediate remediation, requiring U.S. federal civilian agencies to patch affected systems by May 15, 2026, or cease their use.
The vulnerability is notable for its simplicity and reliability, allowing an unprivileged local user to escalate privileges to root access using a 732-byte Python exploit. The flaw results from the interaction between the AF_ALG socket interface, the splice() system call, and flawed error handling during failed copy operations. This chain permits a controlled 4-byte overwrite in the kernel page cache, enabling attackers to corrupt setuid binaries and other sensitive kernel-managed structures entirely within kernel space. Operating at the kernel level, this exploit bypasses many traditional user-space protections and security monitoring mechanisms.
The flaw remained undetected for nearly nine years, originating from three separate Linux kernel code changes introduced in 2011, 2015, and 2017. Its combined interactions created the exploitable condition. It impacts virtually all major Linux distributions running kernels built since 2017, including Ubuntu, Amazon Linux, Red Hat Enterprise Linux, SUSE Linux, Debian, Fedora, and Arch Linux. The ability to execute without root privileges, kernel module loading, or network access makes it particularly dangerous in containerized environments such as Kubernetes clusters and Docker CI/CD runners.
Patches are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0. Organizations are urged to upgrade immediately. For Red Hat environments, temporary configuration-level mitigations can reduce exposure until patches are deployed. CISA further instructs adherence to BOD 22-01 guidance for cloud-hosted services and discontinuation of unpatched systems where mitigation is not possible. Security teams should prioritize kernel version audits across all infrastructure to identify vulnerable systems.
Supply Chain Attacks: The Mini Shai-Hulud Worm
TeamPCP, a known threat actor, has been linked to a new Mini Shai-Hulud campaign compromising npm and PyPI packages from entities such as TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. This campaign represents a significant supply-chain risk monitoring challenge, affecting widely used developer tools and AI-related frameworks. The compromised npm packages were modified to include an obfuscated JavaScript file, "router_init.js," which profiles the execution environment and deploys a comprehensive credential stealer.
This stealer targets credentials for cloud providers, cryptocurrency wallets, AI tools, messaging applications, and CI systems, including GitHub Actions, Aikido Security, Endor Labs, SafeDep, Socket, and StepSecurity. Exfiltrated data is sent to "filev2.getsession[.]org," a domain associated with a decentralized, privacy-focused messaging service, chosen by attackers to evade enterprise network blocks. As a fallback, encrypted data is committed to attacker-controlled repositories under the author name "claude@users.noreply.github.com" via the GitHub GraphQL API using stolen GitHub tokens. This highlights the value of underground forum intelligence in tracking evolving exfiltration techniques.
The malware establishes persistence hooks in Claude Code and Microsoft Visual Studio Code (VS Code) to survive reboots and re-execute the stealer upon IDE launch. It also installs a gh-token-monitor service to re-exfiltrate GitHub tokens and injects two malicious GitHub Actions workflows to serialize repository secrets into a JSON object and upload them to an external server, "api.masscan[.]cloud." The TanStack compromise (assigned CVE-2026-45321, CVSS 9.6) originated from a chained GitHub Actions attack involving the "pull_request_target" trigger, GitHub Actions cache poisoning, and runtime memory extraction of an OIDC token from the GitHub Actions runner process.
Crucially, no npm tokens were stolen directly from TanStack's publish workflow. Instead, the attackers hijacked the project's legitimate "TanStack/router" workflow to publish compromised versions with valid SLSA Build Level 3 provenance attestations. This makes it the first documented npm worm to produce validly attested malicious packages. The worm spreads by locating publishable npm tokens with bypass_2fa set to true, enumerating packages by the same maintainer, and exchanging a GitHub OIDC token for a per-package publish token to bypass traditional authentication. The campaign has spread to 42 packages and 84 versions within the TanStack ecosystem and beyond, including other PyPI packages.
Specific examples of the worm's behavior include the malicious mistralai PyPI package, which downloads a credential stealer from "83.142.209[.]194." This stealer contains country-aware logic to avoid Russian-language environments and a geofenced destructive branch that has a 1-in-6 chance of executing "rm -rf /" if the system appears to be in Israel or Iran. The guardrails-ai@0.10.1 compromise is notable because the malicious code executes on import, checking for Linux systems, downloading a remote Python artifact from "** to "/tmp/transformers.pyz," and executing it without integrity verification.
Long-Term Intrusions: The South Staffordshire Water Breach
A recent investigation by the UK's Information Commissioner's Office (ICO) found that South Staffordshire Water, a utility company supplying drinking water to 1.6 million people, failed to detect hackers in its network for nearly two years. The intrusion by the Cl0p ransomware group led to the publication of personal data belonging to 633,887 customers and employees in August 2022. The ICO issued a fine of £963,900 ($1.3 million).
Initial access occurred in September 2020 when an employee opened a malicious email attachment, installing software that provided the attacker with a foothold. The threat actor remained hidden until May 2022 before initiating lateral movement across systems using a domain administrator account, indicating a lack of least privilege enforcement. The company did not identify the intrusion until July 2022, when IT performance issues prompted an internal investigation. A ransom note was discovered two weeks later, which the attacker had unsuccessfully attempted to distribute. This incident underscores the importance of continuous breach detection and monitoring.
Following the incident, South Staffordshire discovered approximately 4.1 terabytes of data published on the dark web. This data included names, addresses, dates of birth, bank account numbers, sort codes, National Insurance numbers, and, for a small percentage of customers on its Priority Services Register, information from which disabilities could be inferred. This highlights the necessity of dark web monitoring service and brand leak alerting to identify and respond to data exposures.
The ICO's investigation identified four specific security failures:
- Inadequate implementation of the principle of least privilege, allowing unrestricted lateral movement with a domain administrator account.
- An outsourced security operations center (SOC) was monitoring only 5% of the company's IT environment as of December 2021, and endpoint telemetry and logging were not integrated into the security monitoring platform.
- Some devices were running Windows Server 2003, an operating system whose extended support ended in July 2015, leaving it vulnerable to known exploits.
- No internal or external vulnerability scans were conducted between September 2020 and May 2022.
- Two domain controllers remained unpatched against ZeroLogon, a critical vulnerability published in August 2020 that allows rapid privilege escalation. The attacker successfully exploited ZeroLogon during the incident.
Ian Hulme, ICO's Interim Executive Director for Regulatory Supervision, stated that "Waiting for performance issues or a ransom note to discover a breach is not acceptable." Proactive security measures are a legal requirement. Although Cl0p initially claimed to have compromised Thames Water and suggested the ability to alter water supply chemical composition, South Staffordshire disputed this, and the penalty notice made no reference to operational or water treatment system compromise.
The fine was reduced due to South Staffordshire's cooperation, early admission of liability, and mitigation steps. The company entered a voluntary settlement earlier this year, securing a 40% discount, and agreed not to appeal. This incident contributes to a growing number of cyberattacks against British water suppliers, with five incidents reported to the Drinking Water Inspectorate between January 2024 and October 2025. The UK government's Cyber Security and Resilience Bill is expected to expand mandatory reporting requirements and improve security standards for critical infrastructure operators. For organizations facing similar challenges, our blog post on a 2FA bypass service takedown operation provides context on how targeted threats are addressed within the threat intelligence community.
Technical Takeaways
- AI-powered systems are now actively used by threat actors for zero-day vulnerability discovery and exploit generation, particularly for semantic logic flaws and 2FA bypasses.
- Advanced AI-enabled malware like PromptSpy demonstrates capabilities for autonomous operations, biometric data capture, uninstallation prevention, and dynamic C2 infrastructure.
- Critical infrastructure, such as firewalls and water utilities, remains a prime target, with vulnerabilities like CVE-2026-0300 (Palo Alto PAN-OS) and CVE-2026-31431 (Linux Kernel "Copy Fail") being actively exploited for root-level access and privilege escalation.
- Supply chain attacks, exemplified by the Mini Shai-Hulud worm, leverage sophisticated techniques like GitHub Actions cache poisoning, OIDC token exploitation, and valid SLSA provenance to distribute credential stealers across npm and PyPI ecosystems.
- Long-term stealthy intrusions highlight gaps in fundamental security practices, including least privilege enforcement, comprehensive security monitoring, timely patching, and regular vulnerability scanning.