Provenance Record

Well-structured News article covering the GTIG May 11, 2026 report on the first confirmed criminal AI-built zero-day exploit. The article follows a clear hierarchy: overview, what we know, broader context, unknowns, and analysis. Technical depth is appropriate for the audience — the semantic logic flaw and LLM attribution markers are explained clearly without unnecessary jargon.

All 5 sources verified from local snapshots (source-0.html.gz through source-4.html.gz, all status 200). Source-0 (Google GTIG blog, cloud.google.com): primary source, confirmed verbatim quotes about 'zero-day exploit that we believe was developed with AI', 'criminal threat actor planned to use it in a mass exploitation event', 'abundance of educational docstrings', 'hallucinated CVSS score', 'structured, textbook Pythonic format highly characteristic of LLMs training data', UNC2814/APT45/APT27/PROMPTSPY/Big Sleep/CodeMender claims all present. Source-1 (The Hacker News): confirmed the Python script / 2FA bypass description, and Ryan Dewhurst quote verbatim. Note: article describes Dewhurst as 'of watchTowr' but source identifies his full title as 'watchTowr's Head of Threat Intelligence' — a minor omission. Source-2 (The Register): confirmed John Hultquist quote verbatim: 'There's a misconception that the AI vulnerability race is imminent. The reality is that it's already begun.' Source-3 (SecurityWeek): confirmed 'abundance of educational docstrings' and 'textbook Pythonic format highly characteristic of LLMs training data' quotes accurately. Source-4 (CSO Online): confirmed 'prominent cyber crime threat actors partnering to plan a mass vulnerability exploitation operation' quote verbatim.

All specific claims verified against sources. The article correctly describes: the exploit as a Python script enabling 2FA bypass on an unnamed open-source web-based admin tool; the LLM attribution markers (educational docstrings, hallucinated CVSS score, textbook Pythonic format); GTIG's statement they do not believe Gemini was used; responsible disclosure coordination; PROMPTSPY using gemini-2.5-flash-lite; UNC2814, APT45, APT27 actor activities all confirmed in source-0. No hallucinated specifics detected.

High-quality submission ready for publication. Covers a genuinely significant first — the confirmed use of AI in criminal zero-day development — with appropriate sourcing, accurate attribution, and measured analysis. All direct quotes verified verbatim against primary and secondary sources.