TL;DR: Google’s Threat Intelligence Group released a report on May 11 confirming that hackers used AI tools (including OpenClaw) to develop a zero-day exploit for a planned “mass exploitation event.” Google says it intercepted the attack before deployment. The same report names OpenClaw and OneClaw as the agentic tools threat actors are using to refine vulnerability payloads. State-linked groups in China and North Korea are involved. Anthropic delayed its Mythos model in April over the same fears. OpenAI rolled out GPT-5.5-Cyber to a vetted-only audience the same week. The AI agent stack just officially became a weapons platform. Best for: anyone running open-source AI agents in production. Not ideal for: anyone who told their boss agentic AI was “just another tool.”
A criminal group was assembling a zero-day exploit using AI agents. They were planning to deploy it at scale. Google says it caught them first.
This is the moment the AI agent conversation stops being theoretical.
Google’s Threat Intelligence Group (report here) confirmed on Monday that it has “high confidence” attackers used an AI model to find and weaponize a zero-day vulnerability that bypassed two-factor authentication. The plan was a “mass vulnerability exploitation operation.” The tools named in the report include OpenClaw and OneClaw. The threat actor’s name wasn’t disclosed.
The story barely cracked the front page on most tech sites.
What the Report Actually Says
Three things matter here.
First, this is the first publicly confirmed case of an AI-generated zero-day used in a real attack planning operation. Not a research demo. Not a red team exercise. A criminal group used agentic AI tools to find a software flaw nobody knew existed, build a working exploit for it, and prepare to fire it at companies, government agencies, and infrastructure at scale. Google’s team caught the prep work before launch.
Second, the agentic AI tools named in the report are the same ones thousands of developers have been installing on personal machines for months. OpenClaw passed 130K stars on GitHub. OneClaw is its sibling fork. Both are positioned as “open-source autonomous coding agents.” Both can read code, write code, exploit code. The difference between “find a bug and fix it” and “find a bug and weaponize it” is the prompt you give it.
Third, state-linked threat actors from China and North Korea are now actively experimenting with these tools, per coverage of the Google report. Google’s team documented threat actor “TeamPCP” (also known as UNC6780) claiming responsibility for supply chain compromises of GitHub repositories tied to Trivy, Checkmarx, LiteLLM, and BerriAI. The pattern: poison the supply chain that everyone trusts, then use the trusted tool to drop the payload.
This is what happens when the same agent that ships your code also has the keys to your CI/CD pipeline.
The Mythos Connection Nobody Will Say Out Loud
Anthropic pulled the rollout of its Mythos model in April over exactly this fear. The internal memo said the model could be used to identify and prey on decades-old software vulnerabilities at scale. The White House got involved. Tech leaders got pulled into meetings.
Anthropic then released Mythos to a select group of testers anyway: Apple, CrowdStrike, Microsoft, and Palo Alto Networks. Four companies. All vendors with massive security operations. Mythos doesn’t ship to the public because the public can’t be trusted with it.
Meanwhile, OpenClaw is on every developer’s laptop.
Anthropic locked down a model that could automate vulnerability discovery. The open-source community shipped one anyway. And the consequence isn’t theoretical anymore: Google’s report says criminal groups are already using it.
The pattern repeats. Closed-source labs build a thing, get scared, lock it up. Open-source builds the same thing six months later, ships it freely, and someone with bad intent uses it inside a week. The labs aren’t being precious. They’re being correct.
Why the Agent Stack Changes the Threat Model
Pre-agent AI was a static threat. A model could draft a phishing email or write malware code, but a human still had to glue all the pieces together. The work scaled with the attacker’s time.
Agent stacks remove the human bottleneck. An agent can scan a target, find an exposed service, identify a candidate vulnerability, write the proof-of-concept exploit, test it in a sandbox, refine the payload, and deploy. All on one prompt, overnight and all without a human watching.
OpenClaw was designed for legitimate development workflows. The same primitives that make it good at building software make it good at breaking software. The skill packages, the multi-step planning, the persistent memory, the tool calling. Those are all features for a developer trying to ship a product. They’re also features for an attacker trying to compromise one.
The control surface that nobody has built yet is the supervisor. There’s no commercial product today that can sit between an agent and its tool calls and reliably distinguish “this agent is auditing for vulnerabilities” from “this agent is building an exploit.” The intent lives in the prompt and the runtime context. The tool call looks the same either way.
What OpenAI and Anthropic Did the Same Week
OpenAI rolled out GPT-5.5-Cyber to vetted cybersecurity teams in a limited preview. Not the public. Not the API. A whitelist of approved buyers.
Anthropic kept Mythos in the same posture. Four named partners.
Both companies are building cyber-capable models, both are gating access through enterprise contracts and vetted partner lists and both are leaving the open-source ecosystem to deal with the consequences of having shipped equivalent tools to anyone who can install npm packages.
That’s not hypocrisy. That’s the new compliance regime. The major labs have figured out that “models powerful enough to do cyber work” are also “models with regulatory liability if misused.” So they’re routing those capabilities through partners with security clearances and audit trails. The open-source equivalents don’t have any of that overhead, which is why they ship faster and end up in threat reports.
What This Means for Everyone Else
If you run any AI agent in production, your supply chain just got a new attacker. Skill packages are the obvious vector. Malicious packages masquerading as legitimate OpenClaw skills have already been documented dropping RATs (Remcos and GhostLoader specifically) into running agents. Your agent installs a skill, the skill executes arbitrary code inside your agent’s permission boundary, the attacker now has whatever your agent had access to.
Audit every skill package your agent uses. Pin versions. Check signatures. Treat skill installation like installing any other untrusted code, because that’s what it is.
If you’re using OpenClaw or OneClaw in any internet-exposed configuration, check the public exposure dashboards. SecurityScorecard’s DECLAWED tool tracks reachable instances. The number is in the tens of thousands.
If you’re a developer who’s been telling clients “agentic AI is just a productivity tool,” your sales pitch needs a footnote now. The same agent that fixes bugs can build exploits. The same skill that automates a workflow can run a payload. The threat model changed under your feet.
What This Means
Google’s report is the document the AI safety crowd has been writing white papers about for two years. The thing the labs were warning about, scaled, weaponized, and pointed at production. It happened in May 2026 and the industry took roughly twelve hours to move on to the next funding round announcement.
The next time someone in a board meeting asks whether agentic AI is “safe enough to deploy,” the answer is no longer abstract. There’s a Google threat report with names in it.
And the names are the tools your developers have already installed.
