The second week of May 2026 will be remembered as the moment the AI cybersecurity arms race stopped being a prediction and started being an incident report. Google identified the first zero-day exploit built with AI assistance. A criminal group breached 275 million student records. Microsoft deployed an autonomous security system that hunts vulnerabilities on its own. A startup founded by OpenAI's former CTO demonstrated a new category of AI model that listens and responds in real time. And a 14-person company released a video AI that costs one-tenth of what the big labs charge.
These are not separate stories. They are the same story, told from different angles: AI has become both the weapon and the shield, and the distance between offense and defense is measured in days, not months.
Photo: Unsplash
The First AI-Built Zero-Day
On May 12, Google's Threat Intelligence Group published a 33-page report that documents what security researchers have warned about for years but never proven: a criminal group used an AI model to find and weaponize a software vulnerability that no human scanner could detect.
The exploit was a Python script targeting a popular open-source system administration tool. It bypassed two-factor authentication by exploiting a semantic logic flaw, not a buffer overflow or an input sanitization error, but a high-level design mistake where the developer hardcoded a trust assumption into the 2FA logic. Traditional vulnerability scanners and fuzzers are optimized to detect crashes and data-flow sinks. They miss this category of flaw entirely. Large language models, however, can perform contextual reasoning: they read the developer's intent and correlate the authentication enforcement logic with hardcoded exceptions that contradict it. The AI surfaced a dormant logic error that appeared functionally correct to every existing scanner but was strategically broken from a security perspective.
Google's analysts identified the exploit as AI-generated with "high confidence" based on three telltale signatures: hallucinated CVSS severity scores that no human vulnerability researcher would assign, educational docstrings that a production exploit would never include, and a structured textbook formatting in the code that is characteristic of LLM output. The criminal group behind the exploit has, according to Google, "a strong record of high-profile incidents and mass exploitation." The planned mass exploitation event was prevented because Google's own defensive AI, codenamed Big Sleep, found the vulnerability before the attackers deployed it.
PROMPTSPY: The Malware That Thinks
The same GTIG report documents an Android backdoor called PROMPTSPY, first identified by ESET in February 2026, that represents a different order of threat entirely. Previous malware used AI as a tool, perhaps to generate phishing text or obfuscate code. PROMPTSPY uses AI as an agent.
The malware contains an autonomous agent module called GeminiAutomationAgent. It serializes the device's visible user interface hierarchy into XML via the Android Accessibility API and sends it to the gemini-2.5-flash-lite model. The model returns structured JSON responses containing action types and spatial coordinates, which PROMPTSPY parses to simulate physical gestures: clicks, swipes, and navigation. The AI interprets the device's state and generates commands in real time, without human supervision.
PROMPTSPY can capture victim biometric data to replay authentication gestures and regain access to compromised devices. If a victim tries to uninstall it, the malware identifies the on-screen coordinates of the uninstall button and renders an invisible overlay that intercepts touch events, making the button appear unresponsive. Its command-and-control infrastructure, including Gemini API keys and VNC relay servers, can be updated dynamically at runtime. Blocking specific endpoints does not disable the backdoor. Google has disabled the assets associated with this activity and confirmed that no apps containing PROMPTSPY are on Google Play.
This is not malware that runs a script. This is malware that thinks. It perceives its environment, reasons about what it sees, and acts on its conclusions. The difference between PROMPTSPY and a traditional backdoor is the difference between a land mine and a predator drone.
Photo: Unsplash
State Actors: Industrial-Scale AI Offense
The GTIG report documents three distinct state-sponsored AI campaigns operating at different levels of sophistication.
China (UNC2814) directed Gemini to act as a "senior security auditor" and "C/C++ binary security expert" to support vulnerability research into TP-Link firmware and file transfer protocol implementations. More notably, Chinese threat actors built a specialized vulnerability repository called wooyun-legacy, a Claude code skill plugin containing a distilled knowledge base of more than 85,000 real-world vulnerability cases collected by the Chinese bug bounty platform WooYun between 2010 and 2016. By priming an AI model with this dataset, the actors enabled in-context learning that steered the model to approach code analysis like an experienced researcher and identify logic flaws the base model would otherwise miss.
North Korea (APT45) sent thousands of repetitive prompts that recursively analyzed different CVEs and validated proof-of-concept exploits, building an arsenal of exploit capabilities that would be impractical to manage without AI assistance. The volume approach is the point: APT45 is not using AI for brilliance. It is using AI for scale. One researcher with an LLM can validate hundreds of exploits in the time it would take a team to validate a dozen.
Russia-nexus actors targeting Ukrainian organizations deploy malware families called CANFAIL and LONGSTREAM, both of which use AI-generated decoy code to obfuscate their malicious functionality. CANFAIL's source code contains developer comments that explicitly identify unused blocks as filler content designed to disguise malicious activity. LONGSTREAM contains 32 instances of code querying the system's daylight saving status, a repetitive benign-looking operation that exists solely to camouflage the downloader's real purpose.
The report also documents threat actors deploying tools called Hexstrike and Strix against a Japanese technology firm and an East Asian cybersecurity platform. Hexstrike uses a temporal knowledge graph to maintain persistent state of the attack surface and autonomously pivot between reconnaissance tools. The agents that Google sells to enterprises are being mirrored by agents that adversaries deploy against them.
The Supply Chain Attack on AI Itself
A cyber crime group called TeamPCP claimed responsibility for supply chain compromises of popular GitHub repositories and GitHub Actions in late March 2026, including Trivy, Checkmarx, LiteLLM, and BerriAI. The attackers gained initial access through compromised PyPI packages and malicious pull requests, then embedded credential-stealing malware to extract AWS keys and GitHub tokens from build environments. The stolen credentials were monetized through partnerships with ransomware and data theft extortion groups.
The compromise of LiteLLM is particularly significant. It is an AI gateway utility used to integrate multiple large language model providers. Because the package is widely deployed, the breach could expose AI API secrets across the entire software supply chain. GTIG notes that attackers who gain access to an organization's AI systems through compromised dependencies could leverage internal models to identify, collect, and exfiltrate sensitive information at scale, or perform reconnaissance to move deeper within the network. The AI software ecosystem has become both a tool for attackers and a target.
Photo: Unsplash
ShinyHunters vs. Canvas: 275 Million Student Records
While Google was documenting AI-powered offensive capabilities, the real-world consequences of the cybersecurity crisis were playing out in the education sector. The criminal group ShinyHunters breached Instructure's Canvas LMS platform, claiming 3.65 terabytes of data from 9,000 schools and 275 million user records, making it the largest educational data breach in history.
The breach affected institutions across 44 countries, including 44 Dutch educational organizations, the University of California Berkeley (600,000 records), and the University of Pennsylvania (306,000 records). ShinyHunters escalated the attack by defacing 330 school login portals, turning a data theft into a direct disruption of educational operations.
Instructure's response was, to put it charitably, controversial. The company reached what it called an "agreement" with ShinyHunters to stop the data leak. Security experts immediately noted that there is no guarantee that stolen data is ever truly deleted. The precedent is troubling: a major ed-tech company effectively negotiated with criminals holding student data hostage, and the industry has no framework for evaluating whether such agreements actually protect anyone. The Canvas breach is a second security incident for Instructure in eight months, raising serious questions about the company's security posture and the broader risks of centralized educational infrastructure.
Microsoft's Answer: Agentic Defense at Scale
On the same day Google published its GTIG report, Microsoft announced MDASH, a Multi-Model Agentic System for Threat Hunting, developed by its Autonomous Code Hunting and Security team. MDASH uses multiple AI models working in concert, each specialized for different aspects of vulnerability discovery, to autonomously search for and identify security flaws.
The system has already discovered 16 new vulnerabilities, including one that earned Microsoft's highest bug bounty reward. It topped the CyBench benchmark for autonomous security testing, outperforming both single-model approaches and traditional security tools. The system operates autonomously: it identifies targets, develops attack strategies, executes them, and reports findings without human intervention in the loop.
Microsoft also announced that its Agent 365 platform, which provides enterprise security agents, is now generally available, and demonstrated Copilot Studio as an AI agent governance and control center. The message from Redmond is consistent: the future of cybersecurity is agentic, and the only defense against AI offense is AI defense.
Thinking Machines Lab: The Interaction Model
While the security world was grappling with AI as weapon and shield, Mira Murati's Thinking Machines Lab quietly released something that could reshape how humans and AI collaborate. On May 11, the company founded by OpenAI's former CTO announced "interaction models," a new category of multimodal AI designed for real-time, continuous collaboration.
The core insight is deceptively simple. Current AI models experience reality in a single thread: they wait until the user finishes typing or speaking, then generate a response, during which time their perception freezes. This creates what Thinking Machines calls a "bandwidth bottleneck" that limits how much of a person's knowledge, intent, and judgment can reach the model, and how much of the model's work can be understood by the person.
Interaction models solve this by processing audio, video, and text continuously and simultaneously. The first model, TML-Interaction-Small, is a 276B parameter mixture-of-experts model that responds in 200 milliseconds, or 0.4 seconds in practice. It listens while it talks, interrupts when appropriate, and adjusts its behavior based on real-time visual and audio cues. Demonstrations include detecting animals mentioned in a story, translating speech in real time, and telling someone when they are slouching by watching their posture through a camera.
The technology has immediate implications for accessibility, customer service, and collaborative work, but the security implications are equally significant. An AI that can see your screen and hear your voice in real time is a powerful productivity tool. It is also a surveillance system. The difference between a helpful assistant and a monitoring tool is a configuration file.
The company has been plagued by talent departures, with key members defecting to Meta and even back to OpenAI. But the interaction model concept is genuinely novel, and if the research preview delivers on its promises when it opens in the coming months, it could establish a new paradigm for human-AI interaction that goes beyond the prompt-response cycle that dominates current interfaces.
Photo: Unsplash
Perceptron Mk1: Video Intelligence at One-Tenth the Cost
The same week also saw the launch of Perceptron Mk1, a video understanding and embodied reasoning model from a 14-person startup in Bellevue, Washington, that matches frontier performance at 80-90% lower cost than Anthropic, OpenAI, and Google's offerings.
Perceptron Mk1 is purpose-built for video analysis, a domain where the big labs' general-purpose models struggle with both accuracy and cost. Processing video is expensive because it requires understanding temporal relationships across frames, not just individual images. Perceptron's approach focuses on what it calls "embodied reasoning," the ability to reason about physical actions and spatial relationships as they unfold over time.
The model handles sports analytics, infrastructure inspection, smart home monitoring, manufacturing quality control, and personal assistance. Its benchmark performance against Claude, GPT, and Gemini on video understanding tasks, combined with its dramatic cost advantage, suggests that the next phase of AI competition will not be won by the biggest model but by the most efficient model for each domain. Vertical AI is eating horizontal AI's lunch.
OpenAI's Voice Play and the GPT-5.5 Ecosystem
OpenAI continued its aggressive release cadence with three new voice models for the API on May 7, bringing GPT-5.5-class reasoning to real-time audio. The models can reason, translate, and transcribe as people speak, closing the latency gap with human conversation that has limited voice AI adoption.
The company also released GPT-5.5 Instant on May 5, making its most capable model the default for all ChatGPT users. And in a move that signals the convergence of AI and cybersecurity, OpenAI launched GPT-5.5-Cyber, a specialized variant with "trusted access" for cybersecurity applications, explicitly designed to help security professionals identify and remediate vulnerabilities.
The GPT-5.5 family now spans at least four variants: GPT-5.5 (general), GPT-5.5 Pro (advanced reasoning), GPT-5.5 Instant (fast), and GPT-5.5-Cyber (security). OpenAI is building a model for every use case, every budget, and every vertical. The platformification of frontier AI is accelerating.
Google DeepMind: AlphaEvolve, Gemma 4, and the AI Pointer
Google DeepMind made three notable moves this month. First, AlphaEvolve, its Gemini-powered coding agent, demonstrated scaling impact across mathematics, materials science, and algorithm design, showing that evolutionary optimization combined with large language models can discover novel solutions that neither approach finds alone.
Second, Gemma 4, released in April but gaining traction through May, represents Google's most capable open-source model family. Available in sizes from 2B to 27B parameters under the Apache 2.0 license, Gemma 4 brings Gemini 3 research technology to the open community. The 2B model runs on mobile devices. The 27B model competes with proprietary offerings at a fraction of the cost. Google is betting that the next wave of AI adoption will be edge-deployed, and Gemma 4 is its distribution play.
Third, and most provocatively, DeepMind announced research on reimagining the mouse pointer for the AI era. The idea: instead of clicking on things, you point at them, and an AI understands context, intent, and ambiguity. Right-clicking could go the way of the 3.5-inch floppy. The Register's headline captured the reaction: "Google's AI-enabled mouse pointer understands 'this' and 'that'." It sounds trivial. It is not. The pointer is the most fundamental interface metaphor in computing. Changing it means changing how humans interact with machines at the most basic level.
Photo: Unsplash
The Policy Contradiction
While the technical evidence for AI-powered threats is now overwhelming, the policy response is moving in the opposite direction. The Trump administration blocked the expansion of Anthropic's Mythos, the most powerful vulnerability-discovery AI ever built, even as the GTIG report documents criminal and state-sponsored actors using AI to find and exploit the same types of flaws that Mythos was designed to detect.
UK banks received their Mythos briefing within days of the European access crisis, illustrating the scramble among governments and financial institutions to gain access to AI security tools that can match the capabilities described in the GTIG report. Eurozone finance ministers convened to discuss the fact that no EU government had access to the most advanced vulnerability-discovery AI while adversaries from China, North Korea, and Russia were already using AI to find zero-days, generate autonomous malware, and attack the AI software supply chain.
The policy contradiction is stark: defensive AI is being restricted while offensive AI is being deployed at industrial scale. The US government is limiting access to the best defensive tools at the precise moment that the adversary landscape is escalating to AI-powered operations. This is not a hypothetical risk. Google's report contains 33 pages of evidence.
What This Week Means
Seven days, five major developments, one inescapable conclusion. The AI cybersecurity arms race has moved from theory to operations. Criminal groups are using AI to build zero-days. State actors are using AI to validate exploit arsenals. Malware is learning to think, perceive, and adapt in real time. The AI supply chain itself is under attack. And the defensive response, while impressive, is reactive by definition. Big Sleep found the vulnerability before the criminal group deployed it. But Big Sleep exists because Google built it to find vulnerabilities that human researchers miss. The offensive AI found the same vulnerability independently. The question is not whether AI will be used as a weapon. It already is. The question is whether the defensive applications will scale fast enough to matter.
The answer depends on policy choices that are being made right now, and they are being made badly. Restricting access to defensive AI while adversaries operate with impunity is not a strategy. It is a vulnerability. And as this week has shown, vulnerabilities have a way of being found.