In an interconnected world, no system is truly immune
From a controlled laboratory at the University of Toronto, researchers have conjured a new kind of digital threat — not merely a tool, but a learner. An AI-powered worm that adapts, persists, and improves itself as it moves through systems represents a philosophical crossing point in the history of cybersecurity: the moment when the attack itself becomes the attacker. The experiment was designed as a warning, but warnings have a way of becoming blueprints.
- A self-teaching worm prototype successfully crossed Windows, Linux, and IoT environments during testing — and when a vulnerability was patched, it simply found another way in.
- The economics of cyberattack have been upended: once deployed, the worm harvests infected machines' own processing power to fuel further attacks, driving the cost of mass exploitation to near zero.
- A parallel AI tool from Anthropic, Mythos, discovered over ten thousand vulnerabilities in a single month — four hundred of them critical — signaling that automated vulnerability-hunting is already operational, not theoretical.
- The worm currently exploits only known flaws, but researchers warn that adapting it to pursue zero-day vulnerabilities could enable attacks that spread faster than any human-led defense can respond.
- Lead researcher Nicolas Papernot framed the work not as a threat but as a mobilization call — urging security professionals, industry, and policymakers to act before the capability escapes the lab in someone else's hands.
Researchers at the University of Toronto have developed an AI-powered worm that learns as it spreads — a prototype that marks a significant departure from traditional malware. Where conventional worms exploit a single known vulnerability and stop there, this one adapts its approach depending on what it encounters: shifting strategies between Windows machines, Linux systems, and IoT devices, and searching for new entry points whenever a known vulnerability is closed.
What unsettles security experts most is not the technical sophistication alone, but the economic logic it dismantles. Cyberattacks have historically been constrained by cost — time, computing resources, and the need to prioritize high-value targets. This worm erases those constraints by using the processing power of already-infected machines to sharpen its own decision-making. The marginal cost of each new attack approaches zero, meaning attackers could simply release it and walk away.
The concern deepens when placed alongside a parallel development: Anthropic's AI model Mythos, which identified more than ten thousand security vulnerabilities in a single month, including hundreds classified as critical. The Toronto worm currently operates only on known flaws, but its creators acknowledge the architecture could be extended to hunt for zero-day vulnerabilities — gaps that defenders have no patches for yet.
Lead author Nicolas Papernot was direct in framing the research as a warning rather than a weapon: in a fully interconnected world, no system is truly safe from this class of threat. The worm remains confined to isolated test environments, but the capability it demonstrates has already unsettled the cybersecurity community. The deeper fear is not this specific prototype, but the precedent it sets — and the question of how quickly defenses can evolve to meet an adversary that never stops learning.
Researchers at the University of Toronto have built something that should worry anyone responsible for keeping networks safe: a worm powered by artificial intelligence that teaches itself how to break into computers, learns from what it finds, and spreads without human guidance. The prototype, developed using open-source AI models and tested in isolated, controlled networks, represents a fundamental shift in how automated attacks might work—one where the malware itself becomes smarter as it moves through systems.
Unlike traditional worms, which are typically designed to exploit a single known vulnerability and nothing more, this one adapts. When it encounters a Windows machine, it tries one approach. When it finds a Linux system, it adjusts. When it hits an internet-connected device, it shifts again. During testing, the worm moved through different environments collecting information, attempting to crack passwords, and hunting for new security gaps that might give it deeper access. It successfully operated across Windows computers, Linux machines, IoT devices connected to networks, systems that had already been patched against previous attacks, and environments with entirely different types of vulnerabilities. The most unsettling part of the experiment was what happened when a vulnerability got fixed: the worm simply looked for another one and kept trying.
What makes this particularly alarming is the economics of it. Hackers have traditionally faced real constraints. Time costs money. Computing resources are finite. So attackers had to be selective, targeting only the most valuable victims because they couldn't afford to waste effort on smaller targets. But once an AI worm like this is released into the wild, those constraints largely disappear. The worm uses the processing power of the machines it has already infected to improve its own decision-making for the next attack. The cost of running the attack drops to nearly zero. Nicolas Papernot, the study's lead author, put it plainly: hackers no longer have to choose their targets carefully. They can just let the worm loose.
The research also touches on a parallel development that compounds the worry: AI tools designed specifically to find security vulnerabilities. Anthropic released a model called Mythos that can identify previously unknown flaws in digital systems. In just one month, Mythos found more than ten thousand vulnerabilities. Cloudflare identified roughly two thousand of those as related to their systems, with four hundred classified as critical or highly severe. The Toronto researchers acknowledge that their prototype currently only exploits vulnerabilities that are already known. But they also acknowledge that the technology could be adapted to hunt for brand-new, never-before-discovered flaws—zero-day vulnerabilities that defenders have no patches for yet.
If that happens, the implications are stark. Large-scale automated attacks could spread across the internet at speeds that are difficult to contain, learning new pathways as they go, adapting faster than security teams can respond. Papernot issued a statement that cuts to the heart of the concern: in an interconnected world, no system is truly immune to this kind of threat. He framed the research as a call to action—a way to mobilize security researchers, industry leaders, and policymakers to respond quickly. For now, the project remains confined to controlled environments. But the experiment has already sent a chill through the cybersecurity sector. The fear is not that this particular worm will escape into the world, but that the capability it demonstrates will eventually be weaponized, and when it is, the speed and scale of the damage could outpace our ability to defend against it.
Notable Quotes
Once deployed, the cost of running such an attack drops to nearly zero, eliminating the resource constraints that have traditionally forced attackers to be selective about their targets.— Nicolas Papernot, lead author of the study
In an interconnected world, no system is truly immune to this threat. Sharing these discoveries is the first step toward mobilizing researchers, industry leaders, and policymakers to act—and quickly.— Nicolas Papernot
The Hearth Conversation Another angle on the story
Why does an AI worm that learns pose a fundamentally different threat than a traditional one?
A traditional worm is like a key made for one lock. It works or it doesn't. But this one is like a locksmith that teaches itself. It sees a lock, tries different techniques, learns what works, and then applies that knowledge to the next lock it encounters. That adaptability is the core problem.
You mentioned the cost dropping to near-zero. What does that actually change about how attacks happen?
It removes the scarcity that has always constrained attackers. Right now, launching a sophisticated attack takes resources—time, computing power, skilled people. So attackers target high-value victims. But if you can deploy something that runs itself and uses its victims' own computers to power itself, you can attack everyone. The economics flip entirely.
The researchers tested this in isolation. How confident are we that it stays contained?
The test itself was contained, yes. But the knowledge isn't. The moment this research is published—and it has been—other people know it's possible. The question isn't whether this exact prototype escapes. It's whether someone takes the same approach and builds something worse.
What's the difference between what they built and what Mythos does?
Mythos finds vulnerabilities. This worm exploits them. Right now, the Toronto worm only uses known vulnerabilities. But if you combine the two—a worm that can find new vulnerabilities and exploit them automatically—you've created something that doesn't need human hackers at all.
Is there a defense?
That's the hard question. You can patch vulnerabilities, but a learning system will just find others. You can isolate networks, but in a connected world, isolation is temporary. The researchers are essentially saying: we need to think about this problem differently, and we need to start now.