The Thing Protecting You Is Now the Target
The Tech Villain
SubscribeSign in
The Thing Protecting You Is Now the Target<br>The AI tools we've all been pushed to adopt — to move faster, be more productive, stay on top of the game — that's now our attack surface. Well done, everyone.
The Tech Villain<br>May 16, 2026
Share
I want to be precise about what’s happened this week, because the headlines are doing that thing where they gesture at something enormous and then move on before you’ve actually understood it.
The first zero-day ever written by AI just showed up in the wild.<br>Not in a lab. Not in a research paper. In an actual exploitation campaign, targeting real systems. Google’s Threat Intelligence Group confirmed it on Monday: an unknown threat actor used a language model to discover and write a Python exploit that bypasses two-factor authentication on a popular open-source web administration tool. The code had all the hallmarks of LLM output - clean structure, educational comments, and, brilliantly, an hallucinated CVSS score the AI invented for itself… nice, isn’t it?<br>The flaw it found was a semantic logic error.<br>A hard-coded trust assumption buried in the code.<br>The kind of subtle mistake that a tired human reviewer skips over and an LLM, having ingested millions of code examples, spots immediately.<br>This is the milestone people (including myself) have been predicting and quietly dreading. AI as an active participant in attack operations.
You’ve probably already been on the receiving end of something like this.<br>That LinkedIn job offer last month, written in suspiciously good prose, using your actual job title and your company’s real product names. The phishing email that passed every spam filter because, for once, it was genuinely well-written.<br>These aren’t flukes. IBM’s 2026 X-Force Threat Index confirmed AI-driven attacks are escalating across the board.<br>We just haven’t built the vocabulary to describe them yet.<br>We call them “sophisticated phishing” when what we mean is “AI-authored scams… at scale .”<br>The general sentiment among developers and security practitioners right now isn’t panic. It’s a very specific kind of fatigue . The r/cybersecurity community spent the first half of 2026 relitigating the same point: the old vulnerabilities never got patched. AI didn’t break anything that wasn’t already broken. It just lowered the bar for exploiting what was already there. Same shit. Less effort.<br>That’s the uncomfortable truth behind the Google disclosure. The attack worked not because AI is magic, but because the target had a logic flaw that nobody had bothered to fix. The mean time from CVE publication to working exploit is now roughly 10 hours in 2026, down from 56 days in 2024. AI didn’t create that problem. It accelerated it to the point where human response times are structurally incompatible with the threat.
Thanks for reading! Subscribe for free to receive new posts and support my work.
Subscribe
But here’s where I want to push back on the “nothing new” framing, because something genuinely is new.<br>Up until recently, AI was the weapon pointed at you. What’s shifted is that AI has also become the target — and that’s a categorically different problem.<br>Think about what your AI tools actually have access to. Your codebase. Your credentials. Internal conversations. Customer data. Agent frameworks sitting on top of your entire stack with read-write access to half your infrastructure. That’s not a productivity tool. That’s the most valuable thing in your environment to compromise.<br>This week, a fake model on Hugging Face impersonating OpenAI’s newly released Privacy Filter model hit number one trending on the platform — 244,000 downloads and 667 likes in 18 hours before it was pulled. It was infostealer malware: screenshots, Discord tokens, crypto wallets, browser credentials, the lot. Dressed in OpenAI branding, copying the real model card verbatim. HiddenLayer’s research linked it to Silver Fox, a Chinese threat actor previously distributing ValleyRAT. Six additional malicious repos using the same loader were found. The attack hit the AI supply chain — the model marketplace itself — because that’s where engineers now go with their guard down.<br>And it’s not just model repos. Ollama — the local LLM framework with 171,000 GitHub stars — disclosed a critical CVSS 9.1 vulnerability this week (”Bleeding Llama”, CVE-2026-7482) that allows a remote, unauthenticated attacker to read the entire server process memory. API keys. System prompts. Conversation data. Affecting over 300,000 exposed servers globally.
I’ve been saying this for two years and I’ll say it again.<br>We built all of this fast, at scale, as productivity tooling. Nobody treated it like infrastructure. No threat modelling. No security review gates. The assumption was: this is internal, this is ours, this is fine.<br>Attackers have noticed that the AI layer is now the most exposed thing in the stack. Of course they have. And every vendor currently...