Technical description
Researchers from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow demonstrated a proof-of-concept computer worm that uses open-weight LLMs to generate tailored attack strategies for each target it encounters. Unlike traditional worms with fixed exploit code, this worm parasitically runs stolen compute from already-compromised machines to sustain its reasoning, synthesising attack logic in real time for networks spanning Linux, Windows, and IoT devices. The attacker's marginal cost per new infection is zero. Because the worm does not rely on commercial AI platforms, centralised safety controls such as service refusals and rate limiting are structurally irrelevant.
Attack vector
Initial compromise of a network host gives the worm access to the host's compute, which it uses to run open-weight LLMs locally. The worm then reasons about available vulnerabilities on adjacent hosts — exploiting common corporate-network vulnerabilities — adapts its approach per target, and propagates autonomously without human operator involvement. The attack requires no commercial API access.
Affected systems
Enterprise networks with heterogeneous OS environments (Linux, Windows, IoT); any network with GPU or model-serving nodes is particularly at risk as these provide high-value stolen compute that can amplify the worm's reasoning capacity.
Mitigation
Network segmentation isolating GPU and model-serving nodes; least-privilege administration with restricted lateral-movement paths; egress controls on model-serving endpoints; detection rules for anomalous agent/tool-execution patterns and unusual inter-host communication from compute-intensive nodes; develop and test incident-response playbooks for AI-enabled malware. The research team has withheld operational details and is working with the University of Toronto and Government of Canada entities on responsible disclosure and access controls for the implementation.