The attack that wrote itself

The exploit code included a hallucinated CVSS score. That detail, buried in CNBC's report on the first confirmed AI-generated zero-day attack, tells you more about where we are than the attack itself. A hacker group used an AI model to discover a vulnerability in a web administration tool's two-factor authentication, then had it write the Python exploit, complete with educational docstrings and textbook formatting, as though the model were submitting coursework rather than building a weapon. The machine did the job. It also couldn't help being helpful while doing it.

Google's Threat Intelligence Group caught it before the planned mass exploitation event landed. Good. But the response from the rest of the industry in the same 24-hour window is what deserves attention, because it looks less like a coordinated defence and more like three companies rummaging through different drawers for tools they hadn't thought to organise.

The divergence

OpenAI gave the European Union access to GPT-5.5-Cyber for defensive cybersecurity, a limited preview for EU institutions, governments, and cyber authorities. Anthropic's discussions on granting similar access to its Mythos model are, per the same report, at a "different stage" with no timeline. Meanwhile, Microsoft's Windows 11 update added taskbar monitoring for AI agents running background tasks.

Three responses. One says: share the defensive tools now. Another says: not yet. A third says: let users watch what their agents are doing. None of these are wrong, exactly, but they don't compose into a strategy. They compose into an admission that the industry crossed an offensive-capability threshold it had been theorising about for years and discovered it had no shared playbook for the morning after.

This pattern has precedent outside tech. When recombinant DNA first moved from theory to practice in the early 1970s, the biological research community called the Asilomar Conference to agree on safety protocols before the regulators arrived. It was messy and imperfect, but it was coordinated. The AI industry's version of the same inflection point produced, in a single day, a product launch, a diplomatic access grant, and a polite deferral. No conference. No shared framework. Just individual corporate responses calibrated to individual corporate positions.

The practical question for anyone building products with AI is narrower but immediate: the Windows taskbar feature matters more than it looks. The design assumption behind it is now baked into the operating system: AI agents will run persistent background tasks that users need to supervise. That's an interface commitment. It means Microsoft expects agent autonomy to be normal enough that monitoring it belongs next to your Wi-Fi icon.

I think the Google interception is the headline but the real story is the gap between offence and governance. A criminal group used a generally available AI model to find a zero-day and write an exploit. The code was competent enough to work and naive enough to include a fake severity rating. That combination, capable but unsophisticated, is exactly the profile that scales. You don't need the attack to be elegant. You need it to be easy to repeat.

The question for the next twelve months isn't whether AI-generated exploits will happen again. It's whether the defenders will still be improvising their responses one company at a time when they do.

---