AI-Driven Zero-Day Factories Reshape Software Supply Chain Defenses

The depthfirst AI agent's discovery of 21 latent zero-days in FFmpeg—spanning parsers untouched since 2003—marks not an isolated breakthrough but the operationalization of autonomous security research at industrial scale. At roughly $1,000 per run on 1.5 million lines of C, this capability compresses what once required months of expert fuzzing and manual triage into hours, directly challenging the volunteer-driven maintenance model of foundational libraries embedded across media pipelines, containers, and edge devices. Google's concurrent Chrome 149 release, addressing 429 vulnerabilities with over 100 critical or high-severity issues, reveals parallel pressure: even well-resourced vendors are adapting bounty programs to filter AI-generated noise while internal teams still dominate high-impact finds. This convergence echoes patterns seen in prior autonomous efforts, including Google's Big Sleep agent surfacing FFmpeg issues and Anthropic's Mythos model extracting a 16-year-old H.264 flaw, alongside a recent Redis authenticated RCE discovery. A February Linux kernel study further validates the trend, where agents reproduced PoCs for over half of 100 N-day bugs, outperforming traditional fuzzing. What original coverage underplays is the dual-use trajectory: the same techniques enabling defensive scaling also lower barriers for state and criminal actors targeting software supply chains, where FFmpeg's ubiquity in RTSP/AV1 ingestion paths creates asymmetric risk for critical infrastructure. Patching velocity must now match machine speed, or legacy code paths will become persistent attack surfaces.