AI-Built Zero-Day Exploits and Agentic AI: New Frontiers in Cyber Threats
Introduction
Cybersecurity is changing. Threat actors are more sophisticated, and artificial intelligence (AI) is quickly integrated into offensive operations. Recent incidents show AI is a practical tool for developing zero-day exploits and orchestrating complex supply-chain compromises, not just a theoretical aid. This requires re-evaluating current security and increasing focus on advanced threat intelligence.
AI-built zero-day exploits and agentic AI deployments create new blind spots for security teams. Organizations need to understand these attack vectors and mechanisms to defend digital assets. This document examines recent high-profile incidents and their effects on cybersecurity, showing the need for full cyber threat intelligence platform capabilities.
AI in attacker methods changes the economics of exploit development, making advanced capabilities more accessible and scalable. This calls for proactive breach detection and continuous supply-chain risk monitoring to address these attacks.
How AI Discovers and Codes Zero-Day Exploits
AI models can now discover and code software exploits. A cybercriminal group recently nearly launched a mass attack using an AI model to build an exploit from scratch, as reported by Google's Threat Intelligence Group (GTIG). This changes exploit development, which traditionally relied solely on human expertise to identify and weaponize vulnerabilities.
The exploit targeted a popular open-source web administration tool. It bypassed two-factor authentication through a flaw in a Python script. This vulnerability was not a typical memory corruption or improper input handling error that conventional security scanners detect. Instead, it involved a high-level semantic logic flaw: a developer hardcoded a trust assumption that the AI model successfully contradicted. AI models identify discrepancies in code behavior by reading developer intent, a capability traditional scanning tools lack.
Forensic evidence from the exploit code, including educational comments, fabricated severity scores, and a structured Python format, suggests AI models built from training data were directly involved. While GTIG did not attribute the exploit to a specific AI model, the confirmed AI assistance for both discovery and weaponization shows a key advancement in offensive cyber capabilities. Nicole Carignan, a senior vice president of security and AI strategy at Darktrace, observed that AI makes exploit development repeatable, scalable, and efficient for more actors.
What Advanced Threat Actors Use AI For
Threat actors, including state-sponsored groups, integrate AI into operations beyond simple automation, using it for exploit generation and evasion tactics. This expanded use of AI poses challenges for traditional cyber threat intelligence platform capabilities.
North Korea's APT45 uses AI models to systematically analyze known software flaws. This group employed thousands of automated, repetitive prompts to validate exploits, creating capabilities that would be impractical to assemble manually. Such operations show why advanced analytics in real-time ransomware intelligence and underground forum intelligence are needed to track these AI-generated exploits.
A China-linked group, UNC2814, experimented with manipulating AI models like Gemini. They instructed the model to act as a network security expert for embedded devices, aiming to extract vulnerability research the model would otherwise restrict. In another operation, actors used a GitHub repository named "wooyun-legacy" as an AI code skill plugin. This plugin contained a knowledge base of over 85,000 real-world vulnerability cases, training the AI to analyze code and prioritize logic flaws like an experienced security researcher.
Russian-linked groups have adopted AI for malware concealment. Two malware families, CanFail and LongStream, deployed against Ukrainian targets, used AI-generated filler code. This inert, benign code padded source files, making malicious components harder to identify. For example, LongStream included 32 instances of superfluous daylight saving status checks to obfuscate its purpose.
The PromptSpy Android backdoor, identified by Eset, demonstrates autonomous control over infected devices using Google's Gemini API. This malware maps a device's screen layout, transmits it to Gemini, and receives precise coordinates and gesture instructions (e.g., clicks, swipes) to navigate the phone. It can capture biometric login data. During uninstall attempts, it places an invisible layer over the uninstall button to intercept taps, making the process appear unresponsive. The malware's command infrastructure, including Gemini API keys and relay server, can be updated remotely, complicating breach detection efforts. Google has since disabled assets associated with PromptSpy, confirming its absence from the Google Play Store. These tactics show the need for solutions like a dark web monitoring service and telegram threat monitoring to uncover new malware strains and communication methods.
Threat actors also bypass AI usage controls and safety guardrails. They operate through networks of proxy relay services, pooled accounts, and automated registration pipelines. A March 2026 study by the CISPA Helmholtz Center for Information Security identified 17 shadow API services offering unrestricted access to official AI models. Though models accessed via these proxies show reduced accuracy, every prompt and response is visible to their operators, risking sensitive data capture and misuse. This structural advantage gives malicious actors persistent, free access to premium commercial AI models.
The Mini Shai-Hulud Campaign: Supply Chain Attack and Persistence
The "mini Shai-Hulud" malware campaign poses a significant supply-chain risk monitoring challenge. It compromised hundreds of open-source packages and embedded credential-stealing code into widely used development tools. This attack shows how threat actors can use the software update process itself to bypass conventional security measures. Organizations can learn more about similar threats in our blog post on the 'Shai Hulud' npm worm and supply chain attacks.
The attack targeted software libraries such as TanStack, UiPath, and MistralAI. TanStack's React Router package, with over 12 million weekly downloads, demonstrates how deeply this malicious code infiltrated the software supply chain of modern enterprise applications. TanStack security teams removed all compromised software versions but advised anyone who downloaded affected tools to immediately change all connected cloud, server, and developer credentials, including those for Amazon Web Services, Google Cloud, and GitHub.
This incident exposed vulnerabilities in automated software publishing workflows. The compromised updates bypassed two-factor authentication and carried cryptographically valid provenance signatures. These signatures verified the packages originated from correct continuous integration pipelines, but the pipelines themselves were manipulated to authorize malicious code, indicating a gap in automated security checks. For context on other developer tool compromises, read our analysis of GlassWorm malware infiltrating developer tools and stealing credentials.
TeamPCP, a cloud-focused cybercriminal group emerging in late 2025, is attributed to this campaign. The group specializes in automating supply-chain attacks and exploiting cloud-native infrastructure, including Docker and Kubernetes environments. They are known for disguising stolen data as anonymous messaging traffic and using extortion tactics, which include threatening to erase victims' computers if access is revoked.
The attackers initiated the automated release process using an "orphaned commit"-code pushed to a repository fork without a corresponding branch. This exploited overly broad permissions in GitHub Actions workflows. Malware was then delivered via a concealed dependency that fetched an obfuscated 2.3-megabyte payload, disguised as an initialization module.
Upon execution, the malware uses Bun, a fast JavaScript engine, to steal security keys and passwords. It targets cloud infrastructure like AWS, Google Cloud Platform, Kubernetes, and HashiCorp Vault, and scans local developer machines for secret files and SSH keys. The malware operates as a self-propagating worm, publishing copies to projects and spoofing activity as automated commits from the Anthropic Claude bot. A secondary extortion tactic involves generating a new registry token with a ransom note, threatening to wipe computers if compromised access is revoked. Community spread of the malware remained limited.
To maintain continuous access, the malware embeds itself into configuration files of developer tools such as Visual Studio Code and Anthropic's Claude Code. This ensures malicious scripts execute automatically whenever a developer opens a project or starts an AI coding session. Stephen Thoemmes, a senior developer advocate at Snyk, notes that directories like .claude/ and .vscode/ are often excluded from version control and overlooked as attack surfaces. He stated developers must apply thorough security auditing to tooling directories, similar to production infrastructure.
Stolen data is exfiltrated using Session, an anonymous messaging app that routes data through a decentralized network. This method disguises data theft as ordinary, encrypted chat traffic, allowing attackers to avoid detection by traditional command server monitoring. Feross Aboukhadijeh, CEO of Socket, observes that by compromising trusted tools within build systems, attackers do not need to breach every company directly; instead, they exploit existing trust. He advises organizations to look for signs such as compromised package versions in CI/CD or developer environments, unexpected outbound connections, suspicious changes in package lockfiles, unusual package publishes, and persistence artifacts in developer tooling directories.
Instructure's Canvas Breach: Ransomware and Broad Impact
Instructure, an education technology firm, recently experienced a cybersecurity incident affecting its Canvas platform, a widely used learning management system. This involved paying a ransom to the ShinyHunters cybercriminal group after a breach that compromised educational data. Organizations tracking such incidents can use a real-time ransomware intelligence feed and a live ransomware API.
ShinyHunters breached Instructure's Canvas platform twice. The initial intrusion on May 1 stole information. A second incident on May 7 involved defacing the platform with a ransom message. This forced Instructure to temporarily shut down Canvas, disrupting access for millions of students and faculty ahead of final exams.
The attackers claimed to have stolen data from 9,000 Instructure customers, including names, email addresses, student IDs, and messages exchanged between students and professors. They demanded individual ransoms from affected schools and threatened to leak the data by May 12. Instructure confirmed paying the ransom to ShinyHunters, stating the agreement included data return and digital confirmation of data destruction. The company indicated no Instructure customers would be extorted due to this agreement.
The incident prompted an investigation by the House Homeland Security Committee, led by Rep. Andrew Garbarino (R-NY). The committee requested a briefing before May 21 to address the circumstances of both intrusions, the nature and volume of data accessed, and Instructure's response and coordination with federal law enforcement and CISA. Garbarino questioned Instructure's initial claim of containment on May 2, given the subsequent second intrusion and failure to fully remediate underlying vulnerabilities. This raises concerns about the company's incident response capabilities and its obligations regarding customer data.
The FBI advised students not to respond to direct payment requests from the hackers, clarifying that receiving messages does not necessarily confirm personal information compromise. The agency urged individuals to await formal guidance from their educational institutions. Following the ransom payment, the ShinyHunters leak site was taken offline, potentially indicating law enforcement action. This group has a history of breaches, including Ticketmaster, AT&T, and the educational publisher McGraw Hill. Similar threats targeting developers with malicious packages are detailed in our blog post on North Korea's npm malware campaigns.
Why Agentic AI Creates New Security Blind Spots
Agentic AI, already operating in many organizations, creates a security blind spot because it can execute tasks, consume data, and take actions without direct security team oversight. This lack of visibility exists because understanding a technology is necessary for effective defense. Security teams that do not understand agentic AI risk being bypassed by business units deploying these tools, leading to increased exposure.
To address this, security professionals must engage directly with agentic AI, experimenting with developer tools to gain hands-on familiarity. This practical understanding is essential for questioning design decisions, proposing controls, and asking informed questions.
The agentic AI field has three main areas, each with distinct risk profiles:
- General-purpose coding and productivity agents: Tools like Claude Code and GitHub Copilot are embedded in developer workflows. Security teams need to understand the data they access, how they interact with codebases, and the actions they can take.
- Vendor-built agents powered by Model Context Protocol (MCP): MCP is an integration layer enabling agents to connect to external services and act on their behalf. This introduces new attack vectors, such as a malicious calendar invite carrying hidden instructions an agent could interpret and execute. Secure configuration and review of these agents are important.
- Custom agents built by individual users: When anyone in an organization can build functional tools, automations, and workflows with system access, without writing traditional code, it creates a new supply-chain problem. Marketing, finance, and operations teams may deploy these agents without security review, expanding the attack surface.
Lagging in agentic AI security consistently results in organizations proceeding without security input, and exposure grows. Useful agents often require broad access to calendars, communication platforms, file systems, code repositories, and internal APIs. This broad access increases the blast radius if an agent is compromised. An agent with terminal and email inbox access could be manipulated through either channel, facilitating lateral movement. Understanding these pathways requires detailed knowledge of agent construction.
Building competency in agentic AI security involves two important areas:
- Understanding AI application architecture: This includes how AI applications are structured, how agents process inputs, chain tools, generate outputs, and the access control implications of MCP sessions.
- Staying updated: The AI tooling and threat environment changes quickly. Security teams need to stay updated on vendor security controls, open-source frameworks, and evolving threat taxonomies from organizations like OWASP. This allows for informed evaluation of new tools and solutions.
Many agentic AI deployments introduce risk from inadequate security configuration rather than inherent flaws. For example, a self-hosted AI assistant connected to Telegram might respond to any message without proper controls, creating an open entry point. A simple configuration to pair the agent with a single trusted account can close most of this exposure. The principle is scope: agents should be limited to their intended functions, such as a calendar agent not having terminal access, or a request processor lacking write access to code repositories. This limits the blast radius and reduces the attack surface. Security involvement early in design is important to balance agent utility and security before architectures and permissions are set.
Technical Takeaways
- AI is actively used by cybercriminals for zero-day exploit development. It identifies semantic logic flaws missed by traditional scanners, changing the economics of offensive security.
- Advanced Persistent Threat (APT) groups and cybercriminal organizations use AI for systematic exploit validation, obfuscating malware with AI-generated filler code, and autonomous device control via tools like PromptSpy.
- Supply chain attacks, such as "mini Shai-Hulud," exploit automated software publishing workflows and developer tooling configuration files, bypassing security measures like 2FA and provenance signatures.
- Ransomware campaigns, like the ShinyHunters breach of Instructure's Canvas, show the operational impact on critical infrastructure and the need for strong incident response and brand leak alerting capabilities.
- Agentic AI creates new security blind spots due to widespread deployment without adequate security oversight. Security teams must develop practical fluency in AI architecture and enforce strict functional scoping and secure configuration of agents.