Agentic AI Worms Using Open-Weight LLMs on Stolen Compute Propagate Across Linux/Windows/IoT Without Commercial AI Platform — Centralized Safety Controls Structurally Bypassed

Researchers from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow published a pre-print on arXiv (2606.03811) demonstrating, for the first time, a self-sustaining AI-driven computer worm that generates tailored attack strategies at runtime for each target it encounters. Unlike traditional worms with fixed exploit code, the malware parasitically executes open-weight LLMs on already-compromised hosts to sustain its reasoning chain and generate target-specific attack logic. The worm was deployed in a controlled virtual network spanning Linux, Windows, and IoT devices and successfully propagated by exploiting common real-world corporate network vulnerabilities. Since the worm runs on stolen compute, the attacker's marginal cost per infection is zero — creating an asymmetric economic threat for defenders.

The worm runs open-weight LLMs on each newly compromised machine to reason about the next target, adapt its attack strategy to host-specific conditions, and synthesise new attack logic in real time. Because it requires no commercial AI platform — and therefore no API key, rate limit, or vendor safety filter — centralized safety controls (service refusals, content moderation, rate-limiting) are structurally irrelevant to the threat model. Researchers disclosed the threat to multiple Government of Canada entities before publication and deliberately withheld operational implementation details.

Any enterprise network with mixed OS environments (Linux, Windows, IoT) that relies on patching a known vulnerability set to stop worm propagation. Traditional worm-containment playbooks (patch the exploited CVE) are insufficient because this class of worm reasons about targets adaptively and can exploit a changing set of vulnerabilities. Environments running open-weight models internally for AI workloads may expose additional compute for worm use.

No patch exists for this class of threat — it is a fundamental capability shift. Recommended controls: (1) network segmentation to limit lateral movement between heterogeneous OS environments; (2) host-based anomaly detection tuned to detect unusual LLM inference workloads on servers not designated for AI compute; (3) restrict internet egress and block download of open-weight model weights from worker-class hosts; (4) conduct purple-team exercises that assume worm propagation does not require a fixed exploit signature. Researchers will open-source the test environment (not the worm implementation) upon peer-reviewed publication.