Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models

The emergence of an AI‑driven worm marks a watershed moment in cyber‑threat evolution. By embedding an open‑weight large language model on a local GPU, the Toronto team eliminated the need for external API calls, allowing the malware to generate exploit code on the fly. This capability lets the worm scan a network, read freshly published vulnerability advisories, and craft tailored attack chains in real time—an approach that renders static, single‑CVE patching strategies largely ineffective.

Technical analysis reveals a tiered architecture where compromised GPU‑enabled hosts become distributed inference nodes for lower‑power devices. In the lab’s 33‑host “FakeCorp” environment, the worm identified over thirty vulnerabilities per run, achieved privileged access on roughly seventy‑five percent of targeted machines, and propagated through up to seven generations. Its success against three post‑training zero‑day CVEs underscores a critical weakness: once a model can ingest public advisory text, the window between disclosure and exploitation shrinks to hours, echoing the rapid spread of WannaCry but with AI‑generated payloads.

For defenders, the findings demand immediate operational changes. Aggressive segmentation of GPU‑rich servers, zero‑trust controls around inference workloads, and continuous monitoring for anomalous LLM activity become essential. Moreover, organizations must treat newly disclosed CVEs as imminent weaponisation targets, accelerating patch cycles and deploying compensating controls where rapid remediation isn’t possible. As AI models become more accessible, the cost of large‑scale, adaptive malware will shift from cloud‑based API fees to the compute power of compromised infrastructure, reshaping threat economics and raising the bar for enterprise security.