So GTIG dropped their Q2 AI Threat Tracker on May 11 and I think the most technically interesting finding has been underreported relative to its significance.

A cybercrime group was planning a mass exploitation campaign. The Python exploit scripts associated with the campaign had hallmarks that GTIG says indicate "high confidence" the code was written with AI assistance: educational docstrings throughout, a hallucinated CVSS score, structured "textbook Pythonic" formatting, detailed help menus and a clean ANSI color class. No human writing an exploit for actual deployment bothers with any of that.

The actual vulnerability — which GTIG helped disclose and remediate before it was deployed — was a 2FA bypass in a popular open-source web-based system administration tool (unnamed for now). Not a memory corruption bug. A semantic logic flaw: the developer hardcoded a trust assumption that contradicted the 2FA enforcement logic elsewhere in the codebase. Traditional fuzzers don't catch that. LLMs, apparently, do.

GTIG's explanation of why is worth reading: frontier LLMs can "read developer intent" and correlate enforced security policies against hardcoded exceptions. That's a completely different threat model than what most SAST tools are built around.

Beyond the zero-day, the same report covers PROMPTSPY (Android malware using Gemini as an autonomous UI navigation engine), CANFAIL and LONGSTREAM (AI-generated decoy code to confuse analysts), and the TeamPCP supply chain hits on LiteLLM and BerriAI via PyPI.

Some questions for the community:

1. Is your organization treating semantic logic flaws (hardcoded trust assumptions, contradictory auth enforcement) differently from memory corruption bugs in code review? Because if AI can find them at scale, so can attackers.
2. For those running AI API gateways — have you rotated credentials after the LiteLLM/BerriAI PyPI compromise? What's your secret management posture for AI API keys?
3. GTIG says the most common threat actor use of LLMs is still just basic research and troubleshooting — but zero-day development is now proven possible. How do you model this in your threat matrix?

Full technical write-up here if you want the PROMPTSPY attack chain and the MITRE ATLAS mappings: https://www.techgines.com/post/gtig-ai-developed-zero-day-vulnerability-promptspy-2026

I previously covered the first AI-assisted OT attack (Dragos / Monterrey water utility) here if you want more background on the AI-as-attacker threat progression: https://www.techgines.com/post/ai-assisted-ot-attack-claude-scada-water-utility-dragos