If you have seen the old movie War Games from 1983, you probably remember one of the early scenes in the film where David programmed his computer to call all the phone numbers in a specific region of United States to find the computer of a game software company. That was a brilliant picture or pre-internet hacking, showing the craft in its simplest form. It showed that a carefully written computer program could examine a region and find computers of interest. Most attack tools on the Internet have followed the same patters up to our time. An attacker uses a tool, crafted to probe or penetrate a system using a specific method or bucket of methods. I wrote a program myself back in 1996 where I could send a single IP packet to a Windows computer on the Internet and immediately crash it with the dreaded Blue Screen of Death. As soon at Microsoft fixed that embarrassing bug in Windows 95, my favorite toy stopped working.
Computer worms are a variant of the same. Instead of relying on someone to operate the tool, once it penetrates a system, it copies itself into that system and automatically searches for new vulnerable systems to infect. Much like biological viruses. But the traditional tools and worms needed to know what vulnerabilities to look for and exploit.
We already knew that reasoning AI models are a fundamental threat to IT Security. But most people have assumed that only the frontier models are really dangerous, and that these somehow can be contained from being abused (like nation states intelligence agencies or military intelligence would restrain themselves from using such tools to play nice!).
The tinfoil-hat communities and sci fi authors have explored the idea that some AI in the future could hack everything. But most people have dismissed this idea as unrealistic or even stupid.
Now we need to revise that view. June 2nd 2026, researchers at University of Toronto, University of Cambridge and a handful of other institutions, released a research paper: AI Agents Enable Adaptive Computer Worms.
Abstract from the research paper
A computer worm is malware that spreads on a network by replicating itself from one machine to another. Traditional worms, like WannaCry, exploited predetermined vulnerabilities, and their spread can be halted by patching those vulnerabilities. Here we show that artificial intelligence (AI) agents enable a fundamentally new threat: a worm that generates tailored attack strategies to each target it encounters. The worm parasitically uses compromised machines to run open-weight large language models (LLMs) to sustain its reasoning, or extend its reach for further attacks. Deployed on a network of machines spanning Linux, Windows, and IoT (Internet of Things) devices, the worm propagated by exploiting common, real-world corporate network vulnerabilities. Since the worm is powered by stolen compute, the attacker’s marginal cost per new infection is zero. This creates a destabilizing economic asymmetry between attackers and defenders. Moreover, because the worm requires no commercial AI platform, centralized safety controls, such as service refusals or rate limiting, are structurally irrelevant. Our results demonstrate that self-sustaining AI-driven cyber-threats are no longer theoretical. We must prepare for autonomous generative adversaries: malware systems that propagate without human operators and are defined not by fixed exploit code, but by the capacity to reason about targets, adapt to observations, and synthesize attack logic in real time.
In other words; researchers have now demonstrated something new: a worm that uses AI to figure out how to attack each computer it encounters. Instead of following a fixed script, it can adapt its strategy, much like a human attacker would.
What you need to know
The new thing here is that once the worm is created by somebody it use a local LLMs to reason for itself. It will not need any input or instructions from humans. It's important to understand that it will not connect to ChatGPT, DeepSeek or Claude or anything else that may shut it out or be unwilling to help. It will download a local LLM, run it locally without any constraints or safeguards and use that to execute each of the phases it needs to go trough in in order to penetrate and spread.
So it will start by exploring a newly penetrated machine. From there, it will find other machines. For example if this gets into a corporate network it will discover all the machines on the local network that is directly accessible from this machine. And then it will start working with each of those machines systematically to figure out what operating system they are running and what kind of ports are open and how it can get into those systems. If the machine it runs on has a GPU, sufficiently powerful to run its chosen LLM, then it will run the LLM on that machine. Other machines without powerful GPUs can use that like its own private (and free) AI API compute node.
When it gets into a new machine it will typically run as an unprivileged user, maybe a restricted daemon user account or a normal user on that machine. The first thing it will do is to figure out how it can obtain root privileges. Once that's done it can do whatever it wants with that machine including downloading an and running a LLM. If what it has broken into is for example just a security camera or some device with very little compute resources it can still use it as a jump node to find other systems. But then it has to call back to one of the other compromised machines with the LLM running to get instructions.
Of course, even small LLMs that you can run on your phone probably have some information about exploits in their training data. The larger models that require big GPUs knows a lot more. But they are still limited to what they know from their training data, yes? So in stead of a pre-AI worm with maybe 50 exploits in it's toolbox, the AI worm will maybe know a few million exploits. But once a machine is fully patched up, none of those will work any more. Not on the fully patched machine.
Wrong! The AI worm is like an attack dog. It can learn new tricks.
... the AI-driven worm exploited three vulnerabilities disclosed in 2026, after the LLM’s training cutoff, by ingesting publicly available advisory information at runtime. These results demonstrate that the worm can convert newly published vulnerability information into working exploits ...
And I don't think they deliberately put that into the worm. It figured that out for itself.
Our results establish that an autonomous, self-replicating AI-driven adversary is not a theoretical concern but a present capability.
What's scary here is that this thing is very capable, and once in the wild, will be able to "live" and spread, even if we pull the plug in all the datacenters in the world and shut down every cloud VM. Local models work like traditional desktop applications. They have all the information they need locally, and they don't need to connect to anything to keep running.
Concretely, we demonstrate that, provided with the right informational support, a single-GPU LLM has sufficient reasoning capabilities to generate attack strategies that enable the agent to penetrate victim machines: first by obtaining initial command execution, a foothold, and then by escalating privileges to full administrative control. The agent then leverages this control to replicate: it stages a copy of itself on the compromised machine, resolves the required runtime dependencies, and launches an independent agent instance that discovers and attacks further targets.
And it's not just learning. It's rewriting it's own code as needed.
Once the initial agent is launched, the AI-driven worm must operate entirely autonomously with no human in the loop. The worm was not instructed to self-improve its code or weights during its spread, and these mechanisms are not intended to be essential to its potency in our design. Nonetheless, we observed the agent rewrite its code on some occasions to bypass local security controls within the contained environment
The only "good news" is that it require GPUs that are not very frequent outside data centers, quite yet.
The agent is driven by a publicly available open-weight LLM published in 2025. It fits on a single A100 GPU with 80GB of VRAM. We do not finetune, or make any other alterations to the LLM.
The academic AI worm does not have a 100% score rate. But if it was left running for months or years, I think the success rate would be much higher.
The graph shows the success-rates for the experiment in a contained environment (figure from the research paper)
Personally I think a LLM made specifically for this purpose (the researchers used a general, commonly available LLM) will be able to work at least as efficiently on much more limited hardware, including normal PC's. Also, as long as the machine is on and nobody is watching, it doesn't really matter if answering a question takes 1 second or 1 week. A dedicated LLM can also be stripped for unrelated information, like the history of the Roman Empire and classic music. I can for example run LLM's crafted for transcribing audio relatively efficient on my 4 years old Android phone.
Why would anyone make something like this and let it loose?
The most obvious motivation is money.
If a criminal organization could release a self-sustaining AI worm onto the Internet, it might quickly amass millions of compromised machines. Those machines could then be rented out as a service to other criminals. Need a distributed denial-of-service attack? Rent a million nodes. Need anonymous VPN endpoints to bypass increasingly strict identification laws? Pay a few cents a month. Need proxy servers or spam relays? No problem.
Services like these already exist. Malware operators sell access to compromised computers. Some offer full remote access, including cameras, microphones, keyboards, screens, and files. An AI worm that could compromise millions of machines would simply scale up an already existing business model.
With full control over infected systems, criminals could also steal cryptocurrency wallets and empty Bitcoin, Ethereum, and other blockchain accounts. Some of the stolen GPUs could be used for cryptocurrency mining. After all, why not? It's not like they would be paying the electricity bill.
But perhaps the most interesting possibility is AI itself.
Suppose a criminal group controlled hundreds of thousands of powerful machines with high end AI GPUs. Those machines would collectively represent an enormous amount of computing power. Why not build a ChatGPT competitor using stolen resources? Put a nice web interface on top of it and charge half the price of commercial services. The victims would unknowingly be paying for the hardware and electricity.
Of course that is if you are a nice guy and just happens to also be a computer criminal. There are people whose motivations are harder to understand. Some individuals simply want to watch the world burn. A worm designed not to profit, but to destroy, could erase disks, corrupt firmware, or deliberately render millions of computers unusable. Such an attack could trigger economic disruption, stock market crashes, and widespread unemployment.
The technical barriers are no longer impossibly high. They still require skill, but perhaps not extraordinary skill.
And then there are governments.
Intelligence agencies and law enforcement organizations have powerful incentives to gain access to foreign networks. Nations have been conducting cyber espionage for decades. If a self-propagating AI worm could silently infiltrate millions of machines, it would provide unprecedented access to communications, cameras, microphones, and private data.
Russia would certainly be interested in seeing what is happening inside American systems. America would likely be equally interested in Russian or Chinese systems. Every major power, and every intelligence service, would be tempted by technology that offers virtually unlimited access to information.
In other words, the obstacle is unlikely to be lack of motivation.
Developers in the hot spot
I suspect that software developers will be among the first and most valuable targets for adaptive AI worms.
An intelligent worm will likely discover enormous numbers of potential victims across the Internet, local networks, and ISP address ranges. Even with access to stolen GPUs, it will still have limited resources and will need to prioritize. Not every machine is equally valuable.
Most developers run a tremendous amount of experimental software. Modern development often means installing thousands of packages, many of which we know little about. Front-end developers routinely pull in huge dependency trees through npm, and many packages execute scripts during installation. A single compromised dependency may provide an attacker with a foothold without the developer ever noticing. Developers also tend to run containers, Docker, Kubernetes, and other tools that greatly expand the attack surface. Even when we avoid running as root, membership in the Docker group effectively grants root privileges. Once malware gains access to the developer's account, elevating privileges can be trivial.
Developers possess treasures that attackers love: SSH keys granting access to servers. GitHub credentials that allow code changes. Cloud provider credentials. CI/CD tokens. Package signing keys. VPN access to corporate networks. API keys and secrets. Compromising a developer workstation often means gaining access to much more than a single computer. A sufficiently clever worm could use compromised GitHub accounts to inject itself into popular repositories, spreading further through the software supply chain to anyone installing those packages.
Developer machines are typically far more powerful than average consumer PCs: Fast Internet connections. Large amounts of memory. Powerful CPUs. Lots of storage. High bandwidth. Increasingly, we also have high-end GPUs for local AI workloads.
When an AI worm penetrates a developer machine, it will be like entering heaven. Everything is laid out for it to enjoy itself for a long, long time.
How do we prepare ourselves for this?
Interestingly, the research paper contains no advice on how to defend against AI worms.
One thing we should be mindful of is that if adaptive AI worms ever become successful, we must assume that every organization we trust with our data will eventually be compromised.
In the best case, data is simply lost.
In worse cases, it becomes public.
And in the worst case, it is altered.
Imagine health records, tax information, criminal records, or financial data being silently rewritten. Imagine companies and governments holding information about you that is no longer true. Every relationship we have with institutions depends on the integrity of the information they store. If that integrity disappears, trust itself becomes difficult.
For that reason, I believe we can no longer assume that third parties will permanently protect our memories, documents, photos, videos, and other digital possessions. We should assume that both we and the organizations we trust will eventually suffer compromise.
That realization should change how we handle backups.
Own Your Data
Personally, I already maintain local backups of everything important.
All my systems back up through a machine on my local network. In addition to daily cloud backups, I maintain offline "cold storage" backups on large encrypted USB drives. Even if a cloud provider were compromised or accidentally erased my data, I could restore everything that matters.
Harden Local Systems
My next step is to further harden my local environment.
I also plan to create backups on write-once media, ensuring that even if an attacker gains long-term access to my systems, my most valuable information remains beyond modification.
Consider Offline Systems
I also plan to dedicate one laptop to offline use only. Removing its networking hardware entirely turns it into a machine that cannot accidentally become part of the Internet.
Data can still be transferred manually using trusted media. This is not perfectly secure, but it dramatically reduces the attack surface.
Society Depends on the Cloud
Another concern is the degree to which modern society depends on cloud infrastructure.
If several major providers experienced prolonged outages, the effects would extend far beyond email and social media. Supply chains, logistics systems, payment networks, and inventory systems could all collapse.
Supermarkets might struggle to replenish goods. Businesses could lose access to critical services. Recovery would eventually happen, but alternative channels would take time to establish.
COVID taught me that "just in time" systems are not always resilient. Since then, I have kept several months of food and water available. Nothing exotic, just rice, canned food, supplies for the dogs, and enough water to manage an emergency. Living in the countryside, I am fortunate to also have access to a well.
None of this requires believing in apocalyptic scenarios. It is simply prudent preparation.
Political Risks Exist Too
Interestingly, we do not even need AI worms to lose access to our data.
Political decisions can have similar consequences. Cloud providers ultimately operate within legal jurisdictions. Governments can compel companies to retain data, disclose it, or delete it. Whether one believes such scenarios are likely or not, they illustrate an important principle: If something exists only in the cloud, it ultimately exists at someone else's discretion.
Hope, Not Doom
I don't believe the future is only dark.
Society has survived wars, pandemics, depressions, and countless disasters. Even severe disruptions are unlikely to end civilization. We would rebuild.
But your personal memories may not be rebuilt. The photos of your children. Your journals. Your source code. Your work. Those things can disappear overnight.
If you don't harden your setup and prepare for losing what's in the cloud, there is a high probability that you will lose it. And if you have read this far in this blog, you can only thank yourself if you let that happen.
- Harden your computer(s) - especially if you are a developer.
- Backup everything that matters for you to cold storage.
- Make sure you have food, water and cash in case - you know - the AI apocalypse ;)