Researchers at the University of Toronto have identified a new class of cyber threat that could significantly expand hackers’ reach and capabilities at a much lower cost. They warned that any internet-connected device could be vulnerable, and that the system can be built using freely available AI models.
In a study released on June 2, the researchers said they were among the first to demonstrate that publicly accessible AI models can be used to power a worm capable of adapting its behavior as it spreads from one device to another.
Worms are a type of malware that can copy themselves and spread across computer networks through shared digital connections, such as Wi-Fi. Unlike traditional computer viruses, which rely on tricking users into opening infected files, worms can spread on their own once they find network vulnerabilities.
“The worm parasitically uses compromised machines to run open-access large language models (LLMs) to sustain its reasoning, or extend its reach for further attacks,” researchers warn.
“Deployed on a network of machines spanning Linux, Windows, and IoT (Internet of Things) devices, the worm propagated by exploiting common, real-world corporate network vulnerabilities,” they wrote.
The findings build on long-standing concerns about computer worms. One well-known example is the WannaCry ransomware worm in 2017, which targeted Microsoft Windows systems, encrypted data, and demanded ransom payments in bitcoin.
The study notes that the AI worm spreads more slowly than traditional worms because it has to carefully search for possible entry points on each new device it tries to infect. In the researchers’ test network, it took about five days to infect half of the devices, they noted.
However, the researchers warn that this delay could get shorter over time as devices become faster at running AI models and as AI systems get better at finding security weaknesses.
The researchers also note that smartphones and laptops built to run AI tasks can be used as easy sources of computing power for the AI worm. “As consumer devices increasingly support LLM inference, the reasoning resources available to such adversaries grow accordingly,” the researchers said.
This means “every machine connected to the internet is a potential target—if not for the data it holds, then as a launching pad for the next attack.”
University of Toronto researcher Nicolas Papernot, who co-authored the study, said the goal of the research was to better understand the risks before malicious actors can scale similar systems.
“It was imperative for us to understand this threat in a controlled, academic setting before bad actors figured it out for themselves,” Papernot said.
Papernot said researchers shared their findings with national security and defense bodies before publication to ensure responsible disclosure. He said the aim is to help develop countermeasures capable of detecting and stopping AI-driven malware before it spreads widely across critical systems.
The discovery comes as the cybersecurity industry is already dealing with concerns about powerful AI systems.
In April, Anthropic announced a model called Mythos, a system designed to write code and solve complex technical problems, which experts say could also be used as a hacking tool.
Recent evaluations found that it can detect and exploit previously unknown vulnerabilities in operating systems and web browsers. Mythos has been released to a small group of tech companies for testing under a program called Project Glasswing.
A few weeks later, OpenAI introduced its own cybersecurity-focused model, GPT-5.4-Cyber, designed to find security flaws. Like Anthropic’s model, it has only been shared with a limited group of testers.
