University of Toronto Demonstrates AI Worm Targeting Any Device

A University of Toronto research team posted a preprint to arXiv titled "AI Agents Enable Adaptive Computer Worms" (arXiv:2606.03811) describing a proof-of-concept autonomous worm, the paper shows. The arXiv preprint and a University of Toronto news release state the prototype can autonomously navigate a network, identify device-specific vulnerabilities, generate tailored attack plans, and replicate across Windows, Linux and IoT hosts. In closed-lab simulations on a 33-machine corporate testbed, the worm achieved a 73.8% exploitation rate after seven days, per the preprint. The researchers say the experiments ran in a secure, isolated digital lab and that they redacted details judged likely to assist malicious actors, according to the University of Toronto press release and the arXiv posting.

Per the arXiv preprint, the prototype uses a locally hosted, open-weight large language model to power agentic decision-making rather than relying on proprietary cloud APIs, a design the authors note lowers barriers to replication. The paper describes the worm "parasitically acquiring computational resources for autonomous reasoning," combining automated reconnaissance, exploit selection, and replication logic as it spreads across heterogeneous systems, the preprint explains. Multiple outlets, including Scientific American and The New York Times, reported that the demonstration relied on publicly accessible models and commodity tooling rather than private model access.

Industry observers note that embedding agentic reasoning into self-replicating malware changes the threat model for defenders. For practitioners: adaptive malware that tailors payloads per-host increases the utility of behavior-based detection, anomaly detection on process trees, and runtime integrity checks, while reducing the effectiveness of signatures tied to a single exploit. Observed patterns in similar security evolutions show attackers shift from static exploit kits to modular, decision-driven toolchains once inexpensive orchestration primitives exist.

Industry coverage frames this work as a "wake-up call" because it demonstrates that widely available open models can be combined with existing exploitation techniques to make more flexible worms, reporting by Scientific American and The New York Times states. Historical comparisons in reporting cite pre-AI worms such as WannaCry to underline how self-replication at scale creates systemic risk for critical infrastructure; the researchers and media emphasize the difference that adaptive reasoning brings compared with single-exploit worms, per the arXiv paper and University of Toronto commentary. The University of Toronto quotes Nicolas Papernot saying, "It was imperative for us to understand this threat in a controlled, academic setting before bad actors figured it out for themselves," in its press release.

• •Emergence of technical mitigations or vendor advisories addressing behavior-driven, multi-stage malware, as reported by security vendors and CERTs.
• •Any follow-up peer-reviewed publications or redacted supplemental material on arXiv or lab pages that clarify capabilities without operational playbooks.
• •Changes to access policies for open-weight models, and vendor statements about misuse risk, as covered by mainstream and trade press.
• •Indicators of compromise and tooling patterns released by commercial detection vendors and open-source threat intelligence projects.

The published prototype, the University of Toronto press materials, and coverage in outlets including Scientific American and The New York Times together document a working demonstration that publicly available AI models can materially change malware behavior. The 73.8% lab exploitation rate is a concrete empirical result, though the work was conducted in an isolated testbed and the authors limited publishable detail to prevent misuse, per their statements and the arXiv posting.