Jordan: For the first time in history, a cybercrime group didn't write their zero-day. They had AI write it for them. Google caught it before it deployed at scale. This time. Think about what happens next time.

Alex: Welcome to Cleartext. It's Monday, May 11th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Here's what we're covering today: AI-generated exploits are no longer theoretical. A UK water utility just learned what two years of undetected dwell time costs you—in fines and in trust. There's a new Linux kernel privilege escalation flaw, and there's no patch yet. And the AI supply chain is actively being weaponized. Let's get into it.

Alex: We're leading with the Google story because frankly it deserves the top spot. Google's Threat Intelligence Group identified a zero-day exploit that researchers believe was generated using AI by a prominent cybercrime group. The target was a popular open-source web administration tool. The mechanism was a semantic logic error that bypassed two-factor authentication. And the artifacts in the code were consistent enough with AI generation that Google's team flagged it explicitly. They coordinated disclosure before it could be deployed at scale.

Jordan: Let me be direct about what this means structurally. The barrier to zero-day development just dropped. Historically, a novel exploit required deep expertise, time, and significant resources. That kept the population of capable threat actors relatively constrained. AI changes that calculus. You don't need to understand the vulnerability deeply if the model can find the semantic gap for you. What you need is access to the model and motivation. Cybercrime groups have both.

Alex: From a CISO perspective, the immediate question is: how does this change your risk model? The honest answer is that it accelerates the timeline between vulnerability existence and weaponization. You've always had a window between patch release and exploitation. That window was already shrinking. This shrinks it further—and potentially opens windows for vulnerabilities that haven't been disclosed yet.

Jordan: The thing that keeps me up about this specific case isn't the exploit itself. It's the detection story. Google caught it. Their threat intel infrastructure is world-class. Most organizations aren't running Google-grade detection. The question for your environment isn't whether AI-generated exploits are coming. It's whether you'd see them when they arrive.

Alex: Budget implication worth flagging here: if your threat intel capability is thin, this is the argument you bring to your board for investment. Not "AI is scary"—that's noise. The argument is that the exploit development cycle is compressing in a documented, measurable way, and your detection posture needs to keep pace.

Jordan: Let's stay in the AI space because there's a second story that connects directly. The Hugging Face incident. A malicious repository impersonating OpenAI's Privacy Filter model hit number one trending on the platform with 244,000 downloads. It was delivering a Rust-based information stealer to Windows users.

Alex: Two hundred and forty-four thousand downloads before it was caught. That's not a near-miss. That's a successful campaign operating at scale. And this is exactly the supply chain risk that most enterprise AI governance programs aren't accounting for. Teams are pulling models from public registries the same way developers pulled packages from npm five years ago. We know how that story went.

Jordan: The parallel to the software supply chain attacks of 2020 and 2021 is exact. The attack surface is the same—trust in a shared public registry—and the stakes are potentially higher because models are being integrated into production workflows with significant data access. Your TDIR capability for PyPI packages doesn't automatically extend to Hugging Face.

Alex: If you haven't had the conversation with your AI engineering teams about model provenance controls, this is the story you forward today. Not as alarm, as evidence.

Jordan: Third AI-adjacent story: tool poisoning in AI agent environments. As enterprises deploy autonomous AI agents that select tools from shared registries based on natural language descriptions, attackers are exploiting the fact that no human is verifying whether those descriptions are accurate. The CoSAI project formally acknowledged this as multiple distinct vulnerability classes spanning both selection time and execution time.

Alex: This one is less acute today but more consequential over the next eighteen months. If you're in early stages of agentic AI deployment—and most large enterprises are—your security architecture needs to account for the fact that these agents can be manipulated through the metadata of the tools they invoke, not just through the agents themselves. Traditional perimeter and endpoint controls don't see this.

Jordan: Governance and access control for tool registries. That's the ask. Get it into your AI deployment standards now before the footprint grows.

Alex: Now to the breach that should be required reading for every critical infrastructure CISO. South Staffordshire Water was fined £963,900 by the ICO this week for the Cl0p ransomware breach that exposed data on 633,887 individuals. The headline number isn't the fine. The headline number is the dwell time: nearly two years.

Jordan: Nearly. Two. Years. That's not a detection gap. That's an absence of detection capability. And the ICO's enforcement action makes clear that regulators are no longer treating extended dwell time as an operational embarrassment. They're treating it as evidence of negligent security posture, and they're pricing it accordingly.

Alex: For your board conversations, here's the reframe. The question isn't "were we breached?" The question regulators are asking is "how quickly would you know?" Mean time to detect is now a regulatory variable, not just an operational metric. If you can't answer that question with specificity, you have exposure—before any breach occurs.

Jordan: And this is a water utility operating critical infrastructure. The regulatory pressure on that sector is only increasing. The ACI story today—the new Alliance for Critical Infrastructure—is worth watching in this context. A new industry coalition forming to reshape how the US plans for major cyber crises. If you're in CI, this is the body that may shape your incident response obligations in 18 to 24 months. Get someone in the room.

Alex: Dirty Frag. Let's talk about it. Second major Linux kernel privilege escalation vulnerability in two weeks, found in the same subsystem as Copy Fail last month. Any local user account can achieve full root access. No patch available at time of disclosure.

Jordan: The no-patch status is what drives urgency on compensating controls. Prioritize restricting local account access on exposed Linux systems. Review which systems allow interactive login that don't need to. Container environments with shared kernels are exposed. Cloud workloads running Linux—which is most cloud workloads—need to be assessed for this. This isn't theoretical.

Alex: And two critical findings in the same subsystem in two weeks suggests the researchers are actively auditing that code area. Expect more disclosures. Make sure your vulnerability management team has this on the radar.

Jordan: Quick note on the FCC router ruling—they relaxed the foreign-made router ban to allow security updates to continue. Practically speaking, if you were holding off on patching TP-Link or DJI-adjacent network equipment because of regulatory ambiguity, that ambiguity is resolved. Patch your devices.

Alex: And briefly on the aviation espionage campaign—an unattributed group is targeting aerospace and drone operators to exfiltrate GIS files, terrain models, and GPS data. If you're in that sector, this is state-level collection, and the target is your operational data, not your PII. Your data classification model needs to treat geospatial and telemetry data as the high-value target it clearly is.

Jordan: The week's throughline is this: the offense is automating. AI-generated exploits, AI-assisted social engineering, AI-poisoned supply chains. The defenders who close the gap fastest are the ones who treat AI investment in security tooling and detection as urgent, not aspirational.

Alex: The organizations still running detection programs built for 2022 threat models are going to feel the gap in 2026. The board conversations need to reflect that urgency. Threat velocity is not a marketing phrase anymore. It's a documented, measurable reality as of this week.

Jordan: What I'm watching: how quickly other threat intel organizations confirm AI-generated exploits in the wild following the Google disclosure. If this becomes a pattern—and I expect it to—the velocity argument gets a lot easier to make to skeptical board members.

Alex: Watch the ICO enforcement trend as well. The South Staffordshire fine won't be the last. European regulators are setting a template that UK enforcement is following. If you have EU or UK operations, your detection and response SLAs are now effectively regulatory compliance requirements.

Jordan: That's Cleartext for Monday, May 11th. Show notes and links to every story we discussed today are at cleartext.fm.

Alex: We're back Wednesday. Stay sharp.