{"slug": "autonomous-llm-agent-worms", "title": "Autonomous LLM Agent Worms", "summary": "Researchers have demonstrated the first autonomous worm capable of propagating across multiple large language model agent frameworks without human interaction, using persistent agent memory and scheduled task states to re-infect systems. The worm, developed using automated source-code analysis and payload optimization tools, achieved zero-click cross-platform transmission, privilege escalation, and data exfiltration across three production agent systems. The team also introduced a formal defense framework, RTW-A, that blocks the persistence and re-entry attack chain while preserving normal agent workflows.", "body_md": "# Computer Science > Cryptography and Security\n\n[Submitted on 4 May 2026]\n\n# Title:Autonomous LLM Agent Worms: Cross-Platform Propagation, Automated Discovery and Temporal Re-Entry Defense\n\n[View PDF](/pdf/2605.02812)\n\n[HTML (experimental)](https://arxiv.org/html/2605.02812v1)\n\nAbstract:Autonomous LLM agents operate as long-running processes with persistent workspaces, memory files, scheduled task state, and messaging integrations. These features create a new propagation risk: attacker-influenced content can be written into persistent agent state, re-enter the LLM decision context through scheduled autoloading, and drive high-risk actions including configuration changes and cross-agent transmission. We present the first systematic framework for automated analysis of persistent worm propagation in file-backed multi-agent LLM ecosystems. SSCGV, our automated source-code graph analyzer, traces data flow from file I/O to LLM context injection points and ranks carriers by context injection position without manual analysis. SRPO, our summary-resilient payload optimizer, generates worm payloads robust to LLM-mediated summarization and paraphrasing across multi-hop communication. Evaluated on three production agent frameworks, we demonstrate zero-click autonomous propagation, 3-hop cross-platform transmission without platform-specific adaptation, inter-agent privilege escalation, and data exfiltration. We identify two empirical insights: user prompt carriers achieve higher attack compliance than system prompt carriers, and read operations represent the primary integrity threat in LLM-mediated systems. To defend against this class of attacks, we develop RTW-A, proven under a formal No Persistent Worm Propagation theorem. RTW blocks write-before-exposed-read re-entry; sealed configuration protects static files; typed memory promotion prevents untrusted summaries from entering trusted memory; and capability attenuation limits high-risk actions after external reads. These mechanisms eliminate the persistence, re-entry, action chain while preserving ordinary workflows. Affected systems are anonymized pending coordinated disclosure.\n\n### References & Citations\n\nLoading...\n\n# Bibliographic and Citation Tools\n\nBibliographic Explorer\n\n*(*[What is the Explorer?](https://info.arxiv.org/labs/showcase.html#arxiv-bibliographic-explorer))\nConnected Papers\n\n*(*[What is Connected Papers?](https://www.connectedpapers.com/about))\nLitmaps\n\n*(*[What is Litmaps?](https://www.litmaps.co/))\nscite Smart Citations\n\n*(*[What are Smart Citations?](https://www.scite.ai/))# Code, Data and Media Associated with this Article\n\nalphaXiv\n\n*(*[What is alphaXiv?](https://alphaxiv.org/))\nCatalyzeX Code Finder for Papers\n\n*(*[What is CatalyzeX?](https://www.catalyzex.com))\nDagsHub\n\n*(*[What is DagsHub?](https://dagshub.com/))\nGotit.pub\n\n*(*[What is GotitPub?](http://gotit.pub/faq))\nHugging Face\n\n*(*[What is Huggingface?](https://huggingface.co/huggingface))\nScienceCast\n\n*(*[What is ScienceCast?](https://sciencecast.org/welcome))# Demos\n\n# Recommenders and Search Tools\n\nInfluence Flower\n\n*(*[What are Influence Flowers?](https://influencemap.cmlab.dev/))\nCORE Recommender\n\n*(*[What is CORE?](https://core.ac.uk/services/recommender))# arXivLabs: experimental projects with community collaborators\n\narXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.\n\nBoth individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.\n\nHave an idea for a project that will add value for arXiv's community? [ Learn more about arXivLabs](https://info.arxiv.org/labs/index.html).", "url": "https://wpnews.pro/news/autonomous-llm-agent-worms", "canonical_source": "https://arxiv.org/abs/2605.02812", "published_at": "2026-05-30 12:05:44+00:00", "updated_at": "2026-05-30 12:16:36.594967+00:00", "lang": "en", "topics": ["large-language-models", "ai-agents", "ai-safety", "ai-research", "artificial-intelligence"], "entities": ["SSCGV", "SRPO"], "alternates": {"html": "https://wpnews.pro/news/autonomous-llm-agent-worms", "markdown": "https://wpnews.pro/news/autonomous-llm-agent-worms.md", "text": "https://wpnews.pro/news/autonomous-llm-agent-worms.txt", "jsonld": "https://wpnews.pro/news/autonomous-llm-agent-worms.jsonld"}}