When Machines Learn to Break Machines: The Week AI Crossed Every Threshold
There is a week every few years where the ground shifts under your feet and you can feel the tectonic plates of technology grinding into a new configuration. The second week of May 2026 was one of those weeks. Not because of a single event, but because of a convergence: AI-generated zero-day exploits, autonomous malware that navigates smartphones without human input, the worst Linux kernel vulnerability in years, a critical NGINX flaw threatening millions of web servers, a Windows privilege escalation resurrected from a patch that apparently never took, and a $650 million bet on self-improving AI. All of it hit in a seven-day span. And at the center of it all, a new kind of arms race became visible - one where machines learn to break machines, and other machines learn to stop them.
I. The First AI-Developed Zero-Day
Google's Threat Intelligence Group published a 33-page report on May 18, 2026 that will be cited for years. The report documents what GTIG describes as the "industrial-scale application of generative models within adversarial workflows." But the headline finding is stark: Google identified the first zero-day exploit it believes was developed with AI assistance, and it thwarted a planned mass exploitation event before the attack was launched.
The exploit was a Python script designed to bypass two-factor authentication on a popular open-source system administration tool. It targeted a semantic logic flaw - not a memory corruption bug or an input sanitization error, but a high-level design mistake where the developer hardcoded a trust assumption into the 2FA logic. This is precisely the category of vulnerability that traditional fuzzers and vulnerability scanners are built to miss. They look for crashes, for data-flow sinks, for the patterns that have been documented in CVE databases for decades. They do not read developer intent.
Large language models do. Or at least, one did. The exploit contained what Google described as "hallucinated CVSS scores, educational docstrings, and the structured textbook formatting characteristic of large language model output." Google has high confidence that an AI model was used to find and weaponize the flaw. The criminal group behind it has, according to GTIG, "a strong record of high-profile incidents and mass exploitation."
This is the threshold moment. The exploit did not need to be deployed to change everything. Its existence proves that AI can now surface vulnerabilities that human auditors and traditional scanners consistently miss - and that hostile actors are already using this capability. The question is no longer whether AI can find zero-days. It is how many are being found right now that nobody has detected yet.
II. PROMPTSPY: The Malware That Thinks for Itself
Embedded in the same GTIG report is something arguably more unsettling than the zero-day: PROMPTSPY, an Android backdoor that represents a new paradigm in malware design. First identified by ESET in February 2026, PROMPTSPY does not just use AI. It is built around an autonomous agent module called GeminiAutomationAgent.
Here is how it works. The malware serializes the device's visible user interface hierarchy into an XML-like format via the Android Accessibility API, then sends it to the gemini-2.5-flash-lite model. The model returns structured JSON responses containing action types and spatial coordinates. PROMPTSPY parses these responses and simulates physical gestures - clicks, swipes, navigation - in real time, without human supervision. The AI does not receive instructions from a command-and-control server about what to tap. It interprets the screen itself and decides what to do.
The capabilities escalate from there. PROMPTSPY captures victim biometric data to replay authentication gestures and regain access to compromised devices. If a victim tries to uninstall it, the malware identifies the on-screen coordinates of the uninstall button and renders an invisible overlay that intercepts touch events, making the button appear unresponsive. Its command and control infrastructure, including Gemini API keys and VNC relay servers, can be updated dynamically at runtime. Blocking specific endpoints does not disable the backdoor.
This is not a script that runs predetermined actions. It is an agent that perceives its environment, reasons about what it sees, and acts. The attack surface is not a specific vulnerability. It is the entire device.
III. State Actors and the AI Attack Toolkits
The GTIG report does not limit itself to criminal actors. It documents state-sponsored groups from China, North Korea, and Russia using AI for offensive operations with increasing sophistication.
UNC2814, a Chinese-linked group, directed Gemini to act as a "senior security auditor" and "C/C++ binary security expert" to support vulnerability research into TP-Link firmware and file transfer protocol implementations. North Korea's APT45 sent thousands of repetitive prompts that recursively analyzed different CVEs and validated proof-of-concept exploits, building an arsenal of exploit capabilities that would be impractical to manage without AI assistance.
Perhaps most creatively, Chinese threat actors used a specialized vulnerability repository called wooyun-legacy, a Claude code skill plugin containing a distilled knowledge base of more than 85,000 real-world vulnerability cases collected by the Chinese bug bounty platform WooYun between 2010 and 2016. By priming an AI model with this vulnerability data, the actors enabled in-context learning that steered the model to approach code analysis like an experienced researcher and identify logic flaws the base model would otherwise miss.
Russia-nexus actors targeting Ukrainian organizations deployed two malware families, CANFAIL and LONGSTREAM, both using AI-generated decoy code to obfuscate their malicious functionality. CANFAIL's source code contains developer comments that explicitly identify unused blocks as filler content. LONGSTREAM contains 32 instances of code querying the system's daylight saving status - a repetitive, benign-looking operation that exists solely to camouflage the downloader's real purpose.
Chinese-linked APT27 used Gemini to accelerate development of an operational relay box network management tool with multi-hop proxy configurations designed to obfuscate intrusion origins. The agents that Google is selling to enterprises are being mirrored by agents that adversaries are deploying against them.
IV. Copy.Fail: The Linux Kernel Breaks Open
While the AI cybersecurity arms race escalated in the cloud, the ground underneath it was cracking. Bruce Schneier called Copy.Fail "the worst Linux vulnerability in years." Disclosed by security firm Theori on April 29, 2026, CVE-2026-31431 is a local privilege escalation that abuses the kernel crypto API (AF_ALG sockets) plus the splice() system call to write four bytes at a time directly into the page cache of a file the attacker does not own.
The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, and Fedora. No race condition. No per-distro offsets. No special prerequisites beyond a local user account. And here is the kicker: the file on disk is never modified. AIDE, Tripwire, and every checksum-based integrity monitor sees nothing. The modification exists only in the page cache, which persists until reboot.
"Local privilege escalation" sounds dry. But in 2026, "local" covers an enormous surface: every container on a shared Kubernetes node, every tenant on shared hosting, every CI/CD job running untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerized AI agent given shell access. They all share one Linux kernel with their neighbors. A kernel LPE collapses that boundary entirely.
Kubernetes Pod Security Standards (Restricted) and the default RuntimeDefault seccomp profile do not block the syscall used. A custom seccomp profile is needed. The mainline fix landed on April 1, and distros are rolling kernels out now. But the gap between disclosure and patching remains the vulnerability window that every attacker exploits.
V. NGINX Rift: The Web Server Under Siege
As if the Linux kernel was not enough, CVE-2026-42945, dubbed "NGINX Rift," emerged on May 18. This is an unauthenticated heap buffer overflow vulnerability within the NGINX HTTP rewrite module (ngx_http_rewrite_module). The module mishandles overly long strings or continuous repeating characters when evaluating rewrite rules.
A server is only vulnerable if it uses a specific configuration trigger: the rewrite, if, or set directives with unnamed PCRE regular expression captures (like $1, $2) where the replacement string contains a question mark. For example, rewrite ^/api/(.*)$ /internal?id=$1; would be vulnerable. This is not an exotic configuration. It is how a vast number of NGINX deployments handle URL routing and API proxying.
The attack works by sending a specially crafted HTTP request containing extensive repeating patterns that bypass standard length checks. When the rewrite module processes this input against the vulnerable configuration, it exceeds the allocated heap buffer size, leading to memory corruption. Denial of service is reliable. Remote code execution is possible but difficult, requiring an information leak and precise memory manipulation to bypass ASLR.
The vulnerability affects NGINX Open Source versions 1.0.0 through 1.30.0 and NGINX Plus releases 32 through 36. Legacy versions 0.6.27 through 0.9.7 have no official patch planned. Several downstream products including NGINX Ingress Controller, NGINX Gateway Fabric, and NGINX Instance Manager are also affected. Akamai deployed a rapid rule for its App and API Protector customers on May 18, but for the thousands of self-hosted NGINX deployments worldwide, the clock is ticking.
VI. MiniPlasma: The Patch That Was Not
The third vulnerability in this convergence is perhaps the most disturbing for what it says about the state of patching. Security researcher Chaotic Eclipse (also known as Nightmare Eclipse) released a proof-of-concept exploit for a Windows privilege escalation zero-day called MiniPlasma on May 17. The exploit targets cldflt.sys, the Windows Cloud Filter driver, and grants SYSTEM privileges on fully patched Windows 11 and Windows Server 2025 systems.
The disturbing part: this appears to be CVE-2020-17103, a vulnerability that was supposedly patched six years ago. Either the patch was never properly applied, or it was reversed at some point. The researcher's blog post states bluntly: "CVE-2020-17103 was apparently not patched or the patch was reversed, regardless this is the PoC for an LPE in cldflt.sys." The PoC was tested against fully patched systems and worked. Microsoft has not yet issued a patch.
This is a failure mode that should terrify every security team. A vulnerability disclosed, a patch issued, and somehow the fix never actually took effect - for six years. In that time, every audit that checked for CVE-2020-17103 would have shown it as "remediated." Every compliance framework would have ticked the box. And the vulnerability was there the entire time, waiting for someone to look.
VII. Storm-2949: The Identity-to-Cloud Chain
The same week, Microsoft published a detailed analysis of Storm-2949, a threat actor that turned a single compromised identity into a cloud-wide breach. The attack did not use malware or on-premises tactics. It leveraged legitimate cloud and Azure management features to gain control-plane and data-plane access, execute code remotely on VMs, and access sensitive cloud resources including Key Vaults and storage accounts.
The initial access vector was social engineering combined with abuse of Microsoft's Self-Service Password Reset process. The threat actor initiated SSPR on behalf of targeted users and then persuaded them to complete MFA prompts that appeared legitimate. Once the user approved, the actor reset the password, removed existing authentication methods, enrolled their own Microsoft Authenticator on a controlled device, and established persistent access.
Storm-2949 targeted IT personnel and senior leadership deliberately. After compromising accounts, they used a custom Python script to query Microsoft Graph API, enumerating users and applications based on name patterns and role attributes. They exfiltrated data from Microsoft 365, OneDrive, and SharePoint, focusing on IT documents concerning VPN configurations and remote access procedures - likely seeking lateral movement opportunities from cloud to endpoint.
The attack then pivoted to Azure, where compromised identities had privileged custom RBAC roles on multiple subscriptions. The message is clear: in the cloud era, identity is the perimeter, and a single compromised credential can unravel an entire organization.
VIII. The Defensive AI Strikes Back
But the week was not only about attacks. The defensive side of the AI equation made its own leap forward.
Google's Big Sleep, an AI agent developed by Google DeepMind and Google Project Zero, found the vulnerability that the criminal group planned to exploit before the attack was launched. The same report that documents the first AI-developed zero-day also documents the first AI-discovered pre-emptive defense. Big Sleep identified the exploit proactively, and Google worked with the affected vendor to patch it. Google also introduced CodeMender, an AI-powered agent that uses Gemini's reasoning capabilities to automatically fix critical code vulnerabilities.
Microsoft, meanwhile, announced its multi-model agentic scanning harness, codename MDASH. The system orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end. It found 16 new vulnerabilities across the Windows networking and authentication stack, including four critical remote code execution flaws in the Windows kernel TCP/IP stack and the IKEv2 service.
MDASH works in stages: a Prepare stage that ingests source and builds threat models; a Scan stage that runs specialized auditor agents; a Validate stage where debater agents argue for and against each finding; a Dedup stage that collapses equivalent findings; and a Prove stage that constructs and executes triggering inputs. The system scored 88.45% on the public CyberGym benchmark of 1,507 real-world vulnerabilities - the top score on the leaderboard, roughly five points ahead of the next entry.
On a 21-of-21 planted vulnerability test on a private driver, MDASH found every bug with zero false positives. On five years of confirmed MSRC cases in clfs.sys and tcpip.sys, it achieved 96% and 100% recall respectively. These are numbers that human auditing teams cannot match at any scale.
The strategic implication: AI vulnerability discovery has crossed from research curiosity into production-grade defense at enterprise scale. And the durable advantage, as Microsoft's team noted, lies in the agentic system around the model - the pipeline, the plugins, the validation stages - rather than any single model itself.
IX. Recursive Superintelligence: The $650 Million Bet on AI That Improves Itself
While offensive and defensive AI battled in the trenches, the financial bets on AI's future grew larger. Recursive Superintelligence Inc. launched on May 13 with $650 million in funding, led by Alphabet's GV fund and Greycroft, with participation from Nvidia and AMD's venture capital arm. The company, founded by former Salesforce Chief Scientist Richard Socher, is valued at $4.65 billion with roughly 25 employees.
The company's mission is to build recursive self-improving superintelligence: an AI model that can improve its own codebase, discover new knowledge like a human scientist, and then use those discoveries to build an even more capable version of itself. Socher described the approach as "an open-ended process of automated scientific discovery," where the model develops experiment ideas, tests them, and validates the results. It will focus initially on AI research itself, then expand to physics, chemistry, and pre-clinical biology.
Recursive Superintelligence is not alone in this vision. OpenAI's GPT-5.5 has already demonstrated the ability to develop more efficient parallelization methods that boosted token generation speeds by more than 20%. Alphabet designs its TPU accelerators with the help of neural networks trained on chip blueprints. Google DeepMind's AlphaEvolve, first introduced a year ago, is now optimizing TPU designs, improving Google Spanner's efficiency by 20%, helping Klarna double its model training speed, and enabling quantum circuits with 10x lower error on Google's Willow quantum processor.
The feedback loop is closing. AI that improves AI. Models that discover better architectures for models. Agents that find vulnerabilities and agents that patch them. The week of May 12-18, 2026, did not start this cycle. But it was the week the cycle became visible to everyone paying attention.
X. The Supply Chain: When the Tools Become Targets
The GTIG report also documents a supply chain attack campaign that should alarm every developer. A cybercrime group called TeamPCP claimed responsibility for multiple supply chain compromises of popular GitHub repositories and associated GitHub Actions in late March 2026, including Trivy, Checkmarx, LiteLLM, and BerriAI. The attackers gained initial access through compromised PyPI packages and malicious pull requests, then embedded credential-stealing malware to extract AWS keys and GitHub tokens from build environments. The stolen credentials were monetized through partnerships with ransomware and data theft extortion groups.
The compromise of LiteLLM is particularly significant. LiteLLM is an AI gateway utility used to integrate multiple large language model providers. Because it is widely deployed, the breach could expose AI API secrets across the software supply chain. GTIG notes that attackers who gain access to an organization's AI systems through compromised dependencies could leverage internal models to identify, collect, and exfiltrate sensitive information at scale, or perform reconnaissance to move deeper within the network.
And on top of everything else, CVE-2026-45321 documents a critical supply chain compromise in @tanstack packages via GitHub Actions misconfiguration - a 9.6 severity rating that illustrates how the build infrastructure itself has become a high-value target. The AI software ecosystem is now both a tool for attackers and a target.
XI. CSIRO's Vetra: Edge AI Gets Real Infrastructure
Buried under the security headlines, CSIRO launched Vetra on May 18, a new AI infrastructure platform designed to help robots and machines learn in real time. As AI moves from digital systems into the physical world - powering autonomous vehicles, industrial robots, and real-time decision systems - the demand for fast, trusted computing close to where decisions are made is growing exponentially.
Vetra addresses the edge computing bottleneck: the latency between a sensor detecting something and a remote cloud model responding. When a self-driving car needs to decide whether an object is a pedestrian or a shadow, it cannot wait for a round-trip to a data center. Vetra provides the infrastructure for AI models to run at the edge, with the trust and verification mechanisms needed for safety-critical applications.
This is the infrastructure layer that autonomous AI systems need to operate in the physical world. It is also the infrastructure that PROMPTSPY-style autonomous malware could exploit. The same edge computing that lets a factory robot avoid collisions could let an autonomous agent navigate device interfaces. The technology is dual-use by nature.
XII. The Policy Gap: Restricting Defense While Offense Scales
The most consequential meta-story of the week may be the policy contradiction exposed by the GTIG report. The Trump administration blocked the expansion of Anthropic's Mythos, the most powerful vulnerability-discovery AI ever built, even as the GTIG report documents criminal and state-sponsored actors using AI to find and exploit the same types of flaws that Mythos was designed to detect. The US government is simultaneously restricting access to defensive AI and facing an adversary landscape in which offensive AI is being deployed at industrial scale.
UK banks received their Mythos briefing within days of the European access crisis, illustrating the scramble among governments and financial institutions to gain access to AI security tools that can match the capabilities GTIG describes. Euro-area finance ministers convened to discuss the fact that no EU government had access to the most advanced vulnerability-discovery AI while state-sponsored actors from China, North Korea, and Russia were already using AI to find zero-days, generate autonomous malware, and attack the AI software supply chain.
Google's defensive AI, Big Sleep, proved that proactive discovery works. It found the exploit before deployment. But Big Sleep is proprietary to Google. The policy question is not whether defensive AI can match offensive AI. It is who gets access to the defensive AI, and whether the restrictions meant to prevent misuse end up preventing the very defense that keeps critical infrastructure safe.
XIII. The Timeline: One Week, Every Threshold
XIV. The Second-Order Effects
The immediate impact of these vulnerabilities is clear: patch your Linux kernels, update your NGINX configurations, audit your NGINX rewrite rules, check your Windows Cloud Filter driver status, review your Azure RBAC assignments, and enable MFA with hardware keys rather than push notifications. The technical guidance is straightforward.
The second-order effects are what matter.
The vulnerability discovery model has changed permanently. When AI can find logic flaws that traditional scanners miss - flaws rooted in developer intent rather than memory corruption - the entire CVE classification system needs updating. Semantic logic vulnerabilities are a new category, and the tools built to find buffer overflows and injection flaws will not catch them. Every organization that relies on automated scanning as its primary defense has a new blind spot.
The malware paradigm has shifted from scripts to agents. PROMPTSPY is not the last autonomous malware. It is the first. The Android Accessibility API gives the malware a structured view of the device, and the Gemini model gives it the reasoning to navigate that view. Replace Gemini with an offline model, replace the Android Accessibility API with a desktop automation framework, and you have a general-purpose autonomous attacker that does not need command-and-control infrastructure to operate. The C2 server becomes optional.
The supply chain is the new battleground. TeamPCP's compromise of LiteLLM, Trivy, and Checkmarx was not an attack on those tools. It was an attack on every organization that uses those tools to secure their own software. When the security tools are compromised, trust collapses. And when AI gateway tools are compromised, the attacker gains access to the API keys that connect organizations to every major LLM provider.
The policy gap is a strategic vulnerability. Restricting Anthropic's Mythos while Chinese, North Korean, and Russian state actors use AI for vulnerability research is the cybersecurity equivalent of disarming the fire department while the arsonists upgrade to flamethrowers. The GTIG report documents offensive AI use at industrial scale. Defensive AI needs to match that scale, not be constrained by policy frameworks that have not caught up with the threat landscape.
The self-improvement loop is real. Recursive Superintelligence is not just a startup. It is a $4.65 billion signal that the market believes AI can improve itself. AlphaEvolve is already doing it in production at Google. GPT-5.5 developed its own inference optimization. The question is not whether AI will get better at improving AI. It is whether the defensive applications will stay ahead of the offensive ones, or whether the same self-improvement capabilities that optimize TPU circuits and discover quantum error corrections will also optimize the search for exploitable flaws.
XV. What Comes Next
The week of May 12-18, 2026, will be studied in cybersecurity courses for years. Not because any single vulnerability was unprecedented, but because the convergence made the direction of travel undeniable. AI is now part of both the offensive and defensive toolkits, at production scale, deployed by state actors and criminal groups alike. The infrastructure that runs the internet - Linux kernels, NGINX web servers, Windows authentication - has multiple active vulnerabilities being exploited right now. The supply chain that delivers software is under sustained attack. And the self-improving AI that could change the balance is being built with billions of dollars in funding.
The machines are learning to break machines. Other machines are learning to stop them. The question is not who wins this round. It is whether the defensive side gets access to the same tools fast enough to matter. Because the offensive side is not waiting for permission.