Scientists at the University of Toronto have created and demonstrated a proof-of-concept computer worm powered by artificial intelligence that leverages a locally hosted open-weight large language model to think its way across a network, craft customized attack plans for each machine it comes across, and copy itself, all without any human involvement whatsoever and without relying on any commercial AI platform.
The preprint, published to arXiv on June 2 and now undergoing peer review, explains why simply patching one vulnerability at a time stops working when malware can examine services on a network, read up-to-the-minute security bulletins, and devise an entirely new way to break into each system on the fly.
Across 15 controlled experiments on a purposefully vulnerable 33-machine network, the worm found an average of 31.3 security flaws and gained privileged access on 23.1 machines, which translates to roughly 75% of the machines it actively went after. It then spread on its own to 20.4 of those machines, covering 62% of the entire network, over the span of seven days, with zero prior information about the network structure and zero human guidance.
Conventional worms carry a static exploit written into them at the time they are built. Fix those specific weaknesses, and the worm can no longer spread.
This worm operates in a fundamentally different way: it uses an open-weight LLM running on a single GPU to produce attack code at runtime, customized to whatever vulnerabilities it discovers on each new machine. There is no hardcoded exploit sequence. There is no reliance on OpenAI, Anthropic, or any other external API that could have its access shut off or throttled.
The worm’s core behavior
Under the leadership of associate professor Nicolas Papernot, the CleversHans Lab team draws members from the University of Toronto, the Vector Institute, the University of Cambridge, and ServiceNow. They conducted 15 separate trials on an air-gapped 33-machine network they named “FakeCorp,” encompassing Ubuntu, Debian, Rocky Linux, Alpine, Windows Server 2008 R2, 2019, and 2022, along with various IoT devices.
Each machine was configured with at least one genuine, real-world security flaw. Five of the 33 systems had GPU hardware. In the primary spread experiments, the worm drew on a shared GPU inference pool to simulate using processing power taken from victim machines. The team also ran a separate test where the worm fully set up its own local LLM instance on a compromised GPU-capable machine; that approach worked in 68.8% of cases.
In this tiered setup, machines with GPU capability become distributed thinking nodes that handle inference for low-power devices on the network that lack the resources to run the language model on their own.
Over the 15 trials, the worm gained elevated access on 23.1 machines and successfully placed a copy of itself on 88% of those. It managed up to seven rounds of self-replication, averaging 5.1 generations. The environment was intentionally easy to break into: the paper clarifies that the experiment is meant to measure how well the system can reason through real-world vulnerabilities, not how well it could spread through a well-defended production environment with active endpoint protection.
Exploits used in a single run included a chained SambaCry attack followed by privilege escalation through a writable root cron entry, Dirty Pipe, PrintNightmare, Drupalgeddon 2, an Exim remote code execution, blind SQL injection, a JWT authentication bypass, a Redis container escape, and more, not because any of these were pre-programmed, but because the AI agent logically reasoned its way to each one based on what was present on the target.
Figure 2 in the paper illustrates the full radial spread pattern from a single run, displaying six to seven generations of propagation stretching across Linux, Windows, and IoT machines. Individual attacks succeeded about 44% of the time. Most failures were due to incorrectly formatted exploit payloads rather than mistaken reasoning. Attacks against web applications and privilege escalation on Windows proved more challenging than Linux local privilege escalation and service-based exploitations, a performance boundary the researchers describe as a current limitation of the model, not as a built-in defense mechanism.
Why patching becomes insufficient
The worm circumvented its own training data cutoff by reading public vulnerability bulletins at runtime, and managed to compromise machines running three separate flaws that were publicly disclosed only after the model had already been trained:
Against those three particular machines, the worm obtained root-level access in 41 out of 67 attempts.
CVE-2026-39987 was made public on April 8, 2026. Sysdig detected exploitation attempts against honeypots just 9 hours and 41 minutes later, and independently documented a real-world breach where an attacker used an LLM agent for activity beyond initial compromise after breaking into a public-facing Marimo instance. It is the same old gap between disclosure and patching, now with an automated agent reading the bulletin and trying to exploit the flaw at scale almost immediately.
The meaningful comparison to WannaCry is the window between a fix being available and it being deployed, not the total number of machines affected. EternalBlue had already been patched for months before WannaCry hit. The paper makes the same argument under a new reality: a worm that adapts can keep probing for fresh entry points while security teams are still testing their patches.
No recurring cost, no centralized off switch
Two factors make this type of worm significantly harder to stop than a conventional one.
- First, the operational cost is no longer tied to paying for API calls. Once the worm has taken control of GPU-equipped infrastructure belonging to a victim, the attacker does not pay for each additional attempt.
- Second, because every component runs on open-weight models without depending on any particular vendor, controls enforced by providers cannot address the core issue. Denials, throttling of requests, or suspending accounts: none of these countermeasures apply. There is no API credential to deactivate. Stopping the worm must happen at the network and individual host level.
The research team also witnessed the worm rewriting portions of its own code on multiple occasions to get around security measures in the test environment, a behavior that was never explicitly programmed into it.
The current prototype was purposefully built without any ability to evade detection: no encryption, no code that changes its own form, no mechanisms to maintain persistence, no steps to erase its traces. A malicious version equipped with persistence, payloads that are encrypted, techniques to disguise its processes, and cleanup of log files would strip away many of the obvious indicators this prototype leaves in its wake.
Where this research fits into the bigger picture
This is not the first academic exploration of AI-powered worms. Morris II (Cohen et al., 2025) demonstrated a self-replicating adversarial prompt propagating between AI email assistants via retrieval-augmented generation, a threat that moves through the AI application layer rather than across underlying host infrastructure.
In March 2026, ClawWorm showcased self-replicating attacks spanning LLM agent ecosystems, hijacking stored configurations and spreading to peer agents. The Toronto worm differs in a fundamental way: the LLM itself is not the target of the attack. Instead, it serves as the engine used to compromise standard networked infrastructure.
Real-world adversaries have already begun probing the same frontier. Anthropic stated in November 2025 that it disrupted a large-scale AI-orchestrated espionage operation attributed with high confidence to GTG-1002, a Chinese state-affiliated group. Claude Code handled 80–90% of the entire campaign, including initial reconnaissance, developing exploits, stealing credentials, moving laterally, and extracting data, with human operators stepping in at only a few critical decision points.
Google’s Threat Intelligence Group reported a related evolution in May 2026: what it assessed with high confidence to be the first zero-day vulnerability exploited with assistance from AI, discovered inside a criminal group’s script ahead of a planned large-scale attack campaign, alongside malware families that generate their own instructions dynamically rather than depending on prewritten logic. The Toronto team represents a laboratory demonstration of that same trajectory, extended into host-level worm propagation.
The trend is unmistakable: less direct human prompting, greater delegation to the model, and a larger share of the intrusion process handled autonomously by AI.
How defenders should respond right now
The behavioral footprints generated by this prototype give security teams something specific to look for, especially since the current build makes no effort to conceal itself.
- Rigorously segment GPU-capable systems. The worm’s architecture channels all LLM reasoning through any compromised GPU machine it can access. In a flat, unsegmented network, a single breached deep-learning server becomes an inference centerpiece for every infected device on the same subnet. Isolate GPU infrastructure and enforce zero-trust policies that restrict lateral movement to and from those systems.
- Assume freshly published bulletins are immediate exploitation targets. For security flaws facing the internet, the time between disclosure and active exploitation is already measured in hours for some vulnerabilities. Confirm whether a vulnerability is exploitable quickly, prioritize patching internet-facing systems, and put compensating controls in place when deployment cannot happen before the next scheduled maintenance window.
- Rotate all credentials present on any compromised or credibly suspected machine. The worm showed a systematic reliance on harvested credentials as a means of spreading. Stolen credentials move across a network faster than most detection systems can catch them.
- Watch for the behavioral signatures unique to AI-driven agents. Traffic on unusual ports, automated injection of SSH public keys, and sudden clusters of LLM inference running on machines that should not be performing such tasks are the observable traces this prototype produces. These patterns are the foundation for building detection rules.
Across the test runs, that combination yielded root access on newly disclosed vulnerabilities in 41 of 67 attempts and spread to 62% of the network within seven days without any further human involvement. Once the worm establishes a GPU foothold inside a flat network, the expense of mapping and compromising additional machines drops to whatever processing power it has already captured, and freshly published security advisories become ready-made attack playbooks.
The actual code has not been made publicly available. The University of Toronto is setting up a formal vetting procedure through which qualified defensive security researchers can apply for access.
