University of Toronto researchers published a proof-of-concept, adaptive "AI worm" that autonomously identifies and exploits known vulnerabilities across diverse devices, according to a University of Toronto press release and an arXiv preprint. The prototype uses publicly accessible, open-weight large language models to reason about each target and to generate tailored exploitation code; it also siphons compute from compromised machines to host its reasoning workload, per the arXiv paper and press coverage in Fortune and Engadget. In closed-lab simulations the worm compromised a large fraction of a 33-machine corporate testbed: the arXiv-linked reporting cites a 73.8% exploitation rate after seven days, while Fortune reports that across 15 runs the prototype on average breached nearly three-quarters of machines and established a permanent presence on about two-thirds. The team says they released findings after redaction and lab confinement, quoting Nicolas Papernot on safety precautions.
What happened
The University of Toronto and collaborators released a proof-of-concept adaptive AI worm, documented in an arXiv preprint titled "AI Agents Enable Adaptive Computer Worms" and described in a University of Toronto press release. Per the arXiv-linked reporting, the prototype uses publicly available, open-weight large language models to autonomously identify device-specific vulnerabilities and generate exploitation steps. The researchers ran the worm inside a secure, air-gapped digital lab; per the arXiv reporting cited by multiple outlets, the prototype achieved a 73.8% compromise rate in an isolated test network after seven days. Fortune additionally reports the team ran the experiment 15 times, finding the worm on average breached nearly three-quarters of machines and established a persistent foothold on roughly two-thirds.
Technical details
The publicly reported prototype combines reconnaissance, automated exploit generation, and local model hosting. According to the arXiv preprint and press coverage, the agent queries open-weight LLMs at runtime to reason about each target, pulls fresh vulnerability advisories from public sources, and synthesizes custom attack code. Multiple outlets report the worm also offloads model execution by siphoning CPU/GPU cycles from infected hosts to reduce attacker marginal cost, a behavior described in the technical writeup and summarized in coverage by Engadget and Fortune. The prototype, as reported, currently targets known and publicized vulnerabilities rather than discovering zero-day flaws; Fortune and Engadget note it can read and act on new advisories in real time.
Industry context
Editorial analysis: Reporting by DarkReading, Fortune, and others places this work in a broader trend where open-weight models and agentic toolchains lower the technical barrier for automated offensive tooling. DarkReading documents coordinated research by the University of Toronto, the Vector Institute, the University of Cambridge, and industry partners such as ServiceNow; BeyondTrust researchers are also reported to be exploring similar PoC capabilities. Security practitioners quoted in coverage, for example, Kinnaird McQuade at BeyondTrust (via DarkReading) and Gary McGraw (via Fortune), characterize agentic worms as an emergent risk that could accelerate exploitation and lateral movement if weaponized by malicious actors.
Limitations and safeguards in the published work
What the sources report: the team conducted experiments in a closed environment and redacted actionable details before release, per the University of Toronto announcement and the paper's public version. Multiple outlets emphasize the PoC currently exploits known vulnerabilities and relies on public advisories and open-weight models rather than proprietary, closed models that have unfettered internet access. Coverage also highlights that the research intent, as expressed in the University of Toronto material, was to help defenders understand potential future threats.
What to watch
For practitioners: Industry observers should monitor three strands of activity, phrased as observable indicators rather than predictions: increased scanning activity that couples reconnaissance with LLM-driven exploit synthesis; reports of malware that persistently re-hijacks patched hosts by finding alternate vectors; and abuse of compromised hosts for model execution, which would show up as anomalous CPU/GPU scheduling and unusual lateral-model traffic. Editorial analysis: defenders and detection-tool vendors will likely prioritize telemetry for process injection, on-host resource anomalies, and atypical outbound access to vulnerability-advisory feeds, because those are the observable behaviors the reporting links to the prototype.
Broader significance
Editorial analysis: The public demonstrations and reporting make clear that accessible LLMs change the attacker cost structure for automating exploit discovery and tailored attacks. While the current PoC does not claim zero-day discovery capability, industry reporting frames the work as a wake-up call: open-weight models plus agentic toolchains lower the bar for autonomous, adaptive malware and therefore raise the importance of layered telemetry and rapid patch management across heterogeneous device fleets.
Quotations from sources
The University of Toronto press material quotes lead author Nicolas Papernot: "It was imperative for us to understand this threat in a controlled, academic setting before bad actors figured it out for themselves." ITSecurityNews cites Mike Wilkes, CISO at Aikido Security: "We can comfortably presume that if someone acting as a defender in the infosec community has come up with this idea, then someone in the attacker world has also set such tooling in motion."
Scoring Rationale #
This demonstration introduces a plausible new class of automated, adaptive malware that leverages open-weight LLMs. It materially raises detection and threat-modeling priorities for security teams, making it highly relevant to practitioners and vendors.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.