AI worm runs on infected machines and adapts to spread

Researchers at the University of Toronto, the Vector Institute, the University of Cambridge and ServiceNow developed a proof-of-concept AI-powered worm that runs its own models on infected machines, identifies weaknesses, generates attack plans and spreads across a network without human control.

The experiment ran in an isolated virtual lab containing 33 devices running Linux, Windows and IoT software. The network was seeded with common vulnerabilities and the researchers carried out 15 autonomous runs. On average the worm found 31.3 vulnerabilities, compromised 23.1 hosts and spread to roughly 20 machines during seven days of operation. In some trials the code reached seven generations of self-replication.

Unlike many prior demonstrations, the prototype executed open-weight models locally on compromised hosts rather than contacting cloud AI services. As it moved, infected machines were used for inference and computation. The system also ingested newly published security advisories at runtime, allowing it to exploit flaws disclosed after the model’s training cutoff.

The authors described the key difference from traditional worms as the ability to change tactics for each target. The researchers wrote, “We must prepare for autonomous generative adversaries,” and explained the worm reasons about targets, adapts to observations and synthesises attack logic in real time.

Before releasing the preprint the team removed some technical details from the manuscript to limit the risk of misuse. Tests were run in a controlled environment to measure capabilities and behaviours rather than to produce an operational weapon.

The paper places the work alongside past outbreaks such as ILOVEYOU and WannaCry and recent supply-chain incidents. The authors noted that agent-like behaviour and dynamic exploit selection create detection challenges that differ from signature-based threats.

The researchers reported that signature detection would struggle against a worm that alters code paths and exploit choices. They urged investment in behavioural detection tuned to patterns of autonomous agents, including repeated reconnaissance, dynamic exploit generation, lateral movement and redistribution of compute tasks across compromised hosts.

The study does not demonstrate a real-world attack. The authors called for coordinated action across research, security teams, industry and policymakers on evaluation frameworks, monitoring of network behaviour and regulatory approaches that address inference on decentralized open-weight models.