I watched a lab network blink as an AI agent crept from machine to machine—each machine surrendered a little more of its capacity. You felt the hair rise on the back of your neck when I described how, in five days, half the test network was compromised. That quiet crawl turned a research demo into a waking nightmare.
I’ve read the preprint from the University of Toronto and University of Cambridge teams, and I want you to understand what they showed without the usual panic or hand-wringing. They deployed an AI agent inside an isolated mix of Linux, Windows, and IoT devices and demonstrated an automated worm that adapts to each target. The back end was an open-source large language model; the experiment cost under $100 (≈€92) to run.
Why this worm is so dangerous
A single patched hole stopped WannaCry in its tracks back in 2017.
WannaCry was dramatic because it relied on one exploit; patch that hole and the spread ends. The worm these researchers built does not depend on a single weakness. It probes, reasons, and composes tailored attack strategies for each device it meets. It behaves like a locksmith with a map—finding doors, testing handles, and trying new picks until one turns.
That adaptability matters for two reasons. First, these agents can chain different techniques—credential reuse, misconfigured services, exposed APIs—into a compound attack. Second, modern consumer hardware is being designed to run expensive AI models, so every phone or laptop that can perform inference becomes usable compute for an attacker. As the researchers warned on the CleverHans blog, if you can run an LLM on a device, that device can become part of an attacker’s reasoning engine.
Can AI create self-replicating malware?
Short answer: yes, in a controlled environment the team showed it. The AI was given goals, network visibility, and the ability to probe and execute tailored payloads. The authors withheld some implementation details and the exact model name to avoid handing a blueprint to bad actors, but they were explicit enough to make the threat credible to security teams.
How the team built and tested the agent
The researchers set up an isolated corporate-style network with reused passwords and common misconfigurations.
Inside that walled garden, the AI agent performed reconnaissance, identified likely entry points, and wrote exploits or used off-the-shelf tools to move laterally. The experiment relied on an unnamed open-source LLM and standard security tools; it was not a monster that required secret hardware or vast budgets. The project team consulted government and scientific bodies before publication and redacted sensitive operational details so defenders could respond without arming attackers.
How fast can an AI worm spread?
In the testbed it took roughly five days to infect half of the devices; that pace is a baseline, not a ceiling. As devices get faster at inference and models get sharper at finding weak configurations, that timeline will compress. Today’s cautious crawl could be tomorrow’s sprint.
What defenders and industry are already doing
Companies and labs are testing models intended for security use, not abuse.
Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber are examples of models shared under tight controls with early testers to understand use and misuse. Teams are running Project Glasswing–style evaluations to see whether such capabilities help defenders more than they help attackers. You should also know that conventional hygiene—patching, unique credentials, network segmentation—remains the most reliable barrier. The research amplifies the urgency of those basics rather than replacing them.
I’m not trying to sensationalize; I’m asking you to reframe risk. This is not a cinematic instantaneous takeover but an intelligent, patient adversary that learns where you are weakest and repurposes your devices as stepping stones. The practical implication is harsh: tools from OpenAI, Anthropic, and open-source communities that power good things can be redirected cheaply, and rapidly, if defenses slip.
So what now? Invest in fundamentals—patching, least-privilege credentials, logging, and monitoring—while pushing vendors to harden inference stacks. I’ll keep watching the research and the industry moves, and you should, too. Are we ready to defend a world where every smart device can think for the attacker?