AI Worm Uses Local LLMs to Spread Across Networks Without APIs

Researchers at the University of Toronto's CleverHans Lab, led by associate professor Nicolas Papernot, have demonstrated a proof-of-concept AI worm that propagates across networks using a locally hosted open-weight large language model — bypassing the commercial AI services that defenders might otherwise throttle or block. The preprint, posted to arXiv on June 2 and co-authored with the Vector Institute, University of Cambridge, and ServiceNow, shows the worm identifying vulnerabilities, generating tailored exploits at runtime, and replicating autonomously with no human input.

In 15 isolated runs across a deliberately vulnerable 33-host test network spanning Ubuntu, Debian, Rocky Linux, Alpine, Windows Server 2008 R2, 2019, and 2022, plus IoT devices, the worm identified an average of 31.3 vulnerabilities, gained elevated access on 23.1 hosts, and self-replicated to 20.4 of them — roughly 62% of the network — over seven days without prior knowledge of the topology. A tiered variant that staged local LLM instances on compromised GPU hosts succeeded in 68.8% of attempts, with infections reaching up to seven generations. Documented exploits in a single run included chained SambaCry and writable root cron escalation, Dirty Pipe, PrintNightmare, Drupalgeddon 2, and Exim remote code execution.

Unlike traditional worms, which ship with a fixed exploit payload, this one reasons about each target it encounters and crafts a new attack path on the fly — rendering single-CVE patching largely obsolete when malware can read fresh advisories and generate novel exploits at runtime. The research is a controlled proof of concept, not a weaponized strain found in the wild, but it shifts the threat model: defenders can no longer assume that blocking a handful of known bugs will contain propagation. Proactive exposure management is now the baseline.

For network operators, the practical response starts with visibility. Run a port scanner to identify exposed services before an attacker does, verify transport hardening with a SSL/TLS checker, and audit your external footprint with a WHOIS lookup. Autonomous, reasoning-capable malware is no longer hypothetical — it is running in a lab today, and the time to close unnecessary exposure is now.