Cybercriminals have used artificial intelligence to identify and weaponise a previously unknown software flaw, marking a significant escalation in the use of AI for offensive cyber operations.
The attempted campaign targeted a widely used open-source, web-based system administration tool and centred on a zero-day vulnerability that could bypass two-factor authentication when valid user credentials were already available. The operation was disrupted before it could be used in a wider mass-exploitation attack, limiting immediate damage but raising concern across the security industry about how quickly criminal groups are moving beyond AI-assisted phishing, reconnaissance and malware writing.
The flaw was embedded in a Python script and appeared designed to exploit a high-level logic weakness rather than a conventional coding error such as memory corruption or poor input validation. That distinction has drawn attention because advanced language models are increasingly capable of tracing developer intent, spotting hardcoded trust assumptions and identifying contradictions in authentication workflows that traditional scanners may miss.
The incident is being treated as one of the clearest signs yet that AI is beginning to alter the economics of cybercrime. Vulnerability discovery and exploit development once required scarce expertise, time and repeated manual testing. AI systems can now help compress that process by analysing code, proposing attack paths, producing working scripts and refining payloads in a format that resembles professional software development.
The exploit contained several indicators associated with large language model output, including unusually educational documentation, structured help menus, a clean Pythonic style and a hallucinated severity score. Investigators assessed with high confidence that an AI model supported the discovery and weaponisation of the vulnerability, although the model used has not been identified. Google’s own Gemini and Anthropic’s Mythos were not believed to have been involved.
The affected vendor was notified through responsible disclosure channels, and the campaign was interrupted before it became a large-scale compromise. The name of the open-source tool has not been made public, a common practice when disclosure could create further risk before users have had time to patch or apply mitigations.
Security officials and researchers have warned for years that AI would eventually assist attackers in finding unknown vulnerabilities. The new case suggests that threshold is no longer theoretical. Criminal groups, rather than only state-backed teams, may have the strongest incentive to adopt these methods because speed is central to ransomware, data theft and extortion campaigns.
The development comes as threat actors linked to China and North Korea have also shown interest in AI-supported vulnerability research. Some groups have used expert personas to prompt models into acting like senior security auditors, binary-analysis specialists or embedded-device researchers. Others have tested large-scale prompting workflows to analyse known vulnerabilities, validate proof-of-concept exploits and refine attack tooling.
AI is also being used to support broader operational tasks. Threat groups have experimented with dynamic malware modification, command generation, obfuscation, decoy code and attack orchestration. Such techniques remain uneven in quality, but they show a shift from using AI as a productivity aid to embedding it directly into the attack chain.
The emergence of more capable cybersecurity-focused models has intensified debate over AI governance. Anthropic’s Mythos model, presented as highly capable at vulnerability discovery, has been limited to selected trusted organisations because of safety concerns. Technology companies and financial institutions have begun forming defensive collaborations aimed at securing critical software before offensive actors can exploit comparable capabilities.
Defenders are not without advantages. The same AI systems that help attackers can be deployed to audit code, review authentication logic, identify exposed services, prioritise patching and detect unusual behaviour across large networks. The central challenge is timing: many organisations still rely on legacy code, fragmented asset inventories and underfunded security teams, while attackers can rapidly test new methods against exposed systems.
Open-source software remains a particular concern because it underpins cloud platforms, enterprise administration, network management and developer tooling across industries. A flaw in a common utility can quickly become a systemic risk if it is quietly weaponised before maintainers and users are alerted.
Also published on Medium.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
