Researchers have demonstrated that a computer worm powered by artificial intelligence (AI) can autonomously spread across a network by identifying and exploiting vulnerabilities on different devices, raising fresh concerns about how the technology could change the future of cyberattacks.The proof-of-concept malware, developed by researchers at the University of Toronto and cybersecurity firm CleverHans, combines a locally running large language model (LLM) with an autonomous software agent that can scan networks, assess potential attack paths, and decide how to compromise new targets without human intervention. The researchers say the work shows how AI could enable malware to adapt to unfamiliar environments rather than relying on a single preprogrammed exploit.In experiments described in a new study uploaded June 2 to the arXiv preprint server, the worm was tested against a simulated corporate network containing 33 hosts, including Linux servers, Windows workstation computers and other internet-connected (IoT) devices. The researchers found that the system identified vulnerabilities, compromised new machines, and replicated itself across roughly 62% of the network over the course of a week."The main finding is that this type of system can do more than run a fixed exploit; it can examine the target environment, reason about possible vulnerabilities, use tools to attempt attacks, and then replicate itself after a successful compromise," Michael Agee, an adjunct professor of information technology at Trinity Washington University in Washington, D.C., who was not involved in the research, told Live Science.How does the AI worm work?The setup was relatively straightforward. The researchers took an open-weight LLM (for which training data is publicly available) running on local hardware and connected it to a software framework that could scan networks, collect information about target systems, and carry out attacks. The AI's role was to interpret what it found and decide where to go next."The AI-driven part of the attack is mainly the reasoning and decision-making," Agee said. "The LLM is not magically hacking the system; it is being used to reason about what the information means, suggest possible attack strategies, decide which tool or action should be tried next, and help adjust the approach when something fails."Intelligence does not exist in discovering new vulnerabilities; rather, intelligence exists in determining how quickly an attacker can choose and sequence attacks against previously identified vulnerabilities.Bob Hutchins, adjunct faculty at Lipscomb UniversityIn other words, the worm isn't inventing new ways to break into systems. Instead, it's taking information about a machine, matching it against known vulnerabilities and weaknesses, and deciding which avenue is most likely to succeed.Bob Hutchins, who teaches AI strategy courses at Lipscomb University in Nashville, Tennessee, said the innovation lies in the system's ability to adapt."Traditional worms follow a scripted sequence: Once a vulnerability is identified, the worm replicates," Hutchins told Live Science. "In contrast, the researchers demonstrated that an easily downloaded AI model could be used as the decision-making component of the worm. The worm would analyze each device it encountered to determine its most effective strategy to breach that particular system.""Intelligence does not exist in discovering new vulnerabilities; rather, intelligence exists in determining how quickly an attacker can choose and sequence attacks against previously identified vulnerabilities," he added.What makes this AI worm different from conventional malware?The researchers also designed the worm to work across devices with different levels of computing power. More capable compromised machines equipped with graphics processing units (GPUs) could provide reasoning services for lightweight agents running on less-powerful devices elsewhere on the network."What made it particularly dangerous was a clever tiered design," Tom Vazdar, a professor of AI and cybersecurity at the Open Institute of Technology, told Live Science. "GPU-equipped compromised machines provided reasoning capacity for lightweight agents running on low-power IoT devices that couldn't run an AI model locally. A camera becomes a thinking node in the attack network, not just another door."The research, which has not been peer-reviewed yet, was published as governments, security experts and AI companies continue to debate whether generative AI will make sophisticated cyberattacks easier to carry out. One reason the study has attracted attention is that the researchers did not rely on a frontier model from a major AI company, like OpenAI's ChatGPT or Anthropic's Claude. Instead, they used a much smaller open-weight model that can be downloaded and run offline on normal computers.The researchers did not use leading AI models like ChatGPT and Claude. (Image credit: Jaque Silva/NurPhoto via Getty Images)"The researchers employed lightweight open-weight models during their demonstration, which are relatively easy to download, remove guardrail components from, and utilize," Hutchins told Live Science. "By using these types of models, the researchers challenged a long-standing assumption that only advanced/edge-type models present risks related to misuse."Vazdar argued that the work highlights how attackers could increasingly automate tasks that currently require skilled human operators, telling Live Science, "The attacker's marginal cost drops to essentially zero. And you can't patch your way out of it, because it doesn't rely on a single vulnerability class. It reasons. Patch one hole, and it finds another."Could attackers use this AI worm in the real world?Not all experts agree with that assessment, however. Although researchers described the system as capable of targeting a wide range of devices, some cautioned that the demonstration took place in a highly controlled environment designed to showcase the concept."This is at best a lab-based proof of concept in a target-rich test environment," Agee said. The test network contained many intentionally vulnerable systems and lacked active endpoint defenses. "The paper shows that the approach is possible, not necessarily that this attack would work reliably in a normally, or even minimally, defended enterprise network," he added.Any internet-connected device running vulnerable versions of software is theoretically susceptible to being exploited via a similar mechanism. This has been a truism of malicious code for decades.Bob Hutchins, adjunct faculty at Lipscomb UniversityThe worm also generated activity that security teams could potentially detect, he noted, including network scanning, repeated exploitation attempts and privilege-escalation behavior."Even a basic monitoring setup could flag some of that behavior," Agee said.Hutchins likewise warned against overstating the findings. "'Could potentially target almost any device' is technically correct and emotionally misleading," he said. "Any internet-connected device running vulnerable versions of software is theoretically susceptible to being exploited via a similar mechanism. This has been a truism of malicious code for decades."Organizations can still defend themselves by using many of the same measures recommended against conventional cyberattacks, Hutchins added, including prompt patching, strong passwords and multifactor authentication (using multiple forms of identification to log in to systems, like a password sent via text message on top of your password).Even so, experts broadly agree that the study could mark a shift in how malware could operate in the future. Rather than relying on fixed instructions written by human attackers, future malicious software may be able to make many tactical decisions on its own.Related stories'I violated every principle I was given': AI agent deletes company's entire database in 9 seconds, then confessesAI self-replication hacks 'no longer purely theoretical,' study finds but experts say it's too soon to panicClaude Mythos explained: Is Anthropic's most powerful AI model really too dangerous to release to the public?"The attack is important because it shows that an LLM-based agent can reason through different targets and adapt its approach," Agee said.For Hutchins, the study ultimately represents exactly the kind of work academic researchers should be doing. The study authors "are performing precisely what academia should perform researching a legitimate threat within a controlled environment before malicious actors begin building it outside of that controlled environment," he said.Whether attackers adopt similar techniques remains to be seen. What the researchers have shown is that a relatively small AI model can already play a meaningful role in planning and directing a cyberattack.