The security community is actively developing safeguards against a new class of adaptive AI worms, aiming to prevent widespread security incidents on the scale of historic events involving NotPetya, Stuxnet, MSBlast, or SQL Slammer.
Future adaptive AI worms are expected to function as autonomous agents that rapidly self-propagate. They operate by identifying zero-day vulnerabilities, known but unpatched software flaws, and unprotected sensitive data. Furthermore, these agents are designed to navigate across multiple environments, adjusting their methods dynamically based on the systems they encounter.
To stay ahead of this threat model, AI and machine learning security researchers at the University of Toronto, the Canadian AI incubator Vector Institute, ServiceNow, and the University of Cambridge developed a proof-of-concept (PoC) agentic AI worm. This PoC spreads by adapting to new environments, locating vulnerabilities, and generating methods to interact with the target systems. Concurrently, researchers at BeyondTrust are testing similar AI worm capabilities. This methodology parallels gain-of-function research in virology, where models are created to study and develop defenses against potential real-world incidents.
Agentic, adaptive AI worms have not yet been observed in active environments, but Kinnaird McQuade, chief security architect at BeyondTrust, recently discussed the timeline for such an event at the fwd:cloudsec North America Conference. McQuade anticipates that unauthorized actors may deploy AI-driven worms within the next six to twelve months. He noted that these agents will likely target developers and engineers who hold broad access privileges, moving laterally through cloud infrastructure.
Threat actors have already begun combining self-propagation capabilities—the defining characteristic of a traditional worm—with malicious AI tools to target software supply chains. Last September, security firms documented Shai-hulud, a worm that propagated through Node Package Manager (npm) repositories by accessing developer credentials to replicate across new packages. The following month, researchers identified the GlassWorm incident, which leveraged VS Code extensions to compromise developer environments. While other malicious operators use large language models (LLMs) to obfuscate their code, most currently rely on LLMs for development assistance rather than active runtime operations.
An Evolving Technical Challenge
AI worms represent the next iteration of self-propagating software. While similar concepts have appeared in fiction for years, real-world PoC AI agents operate with specific, measurable capabilities. According to the University of Toronto researchers, these agents replace static code with goal-directed reasoning that adapts to the vulnerabilities of each target in real time. The agents spread across a network by moving between devices, analyzing the current environment, locating credentials, and identifying vulnerabilities by utilizing the systems' own resources.
Traditional worms are typically stopped by patching the specific vulnerability they rely on. The University of Toronto team notes that an adaptive worm bypasses this limitation by using a recursive reasoning loop to detect and interact with diverse vulnerabilities as it propagates.
Notably, the PoC worm requires only small, free AI models to drive its decision-making and reasoning processes. The agent autonomously identifies vulnerabilities and sensitive information on each machine, then uses those environmental weaknesses to continue spreading.
Gary McGraw, founder of the Berryville Institute of Machine Learning (BIML), characterizes this as an evolutionary process in software risks. If traditional worms are self-replicating viruses, AI worms add an autonomous decision-making layer. Despite decades of advances in vulnerability management, many organizations continue to face significant patching backlogs. Even with modern vulnerability identification tools, such as Anthropic's Mythos, reducing the footprint of exposed systems remains challenging due to the sheer volume of software in deployment.
Vulnerability management currently operates across two dimensions, McGraw notes. While the industry is building more secure software and reducing technical debt, the total volume of software being deployed is simultaneously increasing at an unprecedented rate.
Hardening Networks Against Autonomous Propagation
Research into adaptive AI worms often serves as an early indicator of broader capabilities. In August 2002, a paper titled "How to 0wn the Internet in Your Spare Time" explored using pre-compiled lists of vulnerable servers to accelerate worm propagation—a concept known as a "flash worm." Five months later, the SQL Slammer worm utilized a similar method to spread across the internet, affecting 90% of its vulnerable hosts in under 10 minutes.
However, current AI worm models face distinct technical hurdles. While unauthorized activities like cryptomining have shown that malicious actors can hijack system resources quietly, an AI worm requires a highly visible operational footprint. August Moore, senior AI and security engineer at 7AI, points out that it is easier for unauthorized software to remain hidden on unmonitored systems. By contrast, a machine learning runtime requires tens of gigabytes of VRAM. Running continuous inference on a standard host creates an anomaly that is difficult to mask as normal background noise.
Making enterprise networks resilient to AI worms requires foundational hardening and deep environmental visibility. McQuade emphasizes that enforcing least privilege is a critical strategy for weathering an AI-driven incident. Organizations should prioritize gathering comprehensive endpoint and cloud telemetry and implement automated remediation workflows.
The primary objective is to stop unauthorized lateral movement early, respond immediately to anomalous signals, and understand the full scope of an incident. In testing, the PoC worm thrived when it encountered over-privileged roles, unmonitored human access to production environments, and poorly managed credentials. Securing environments against these methods requires scaling foundational security practices to match the efficiency of autonomous tools.
The University of Toronto researchers prioritize detection, reducing the exposed infrastructure, and limiting propagation as the most effective defensive strategies. Fortunately, standard security fundamentals remain highly effective.
Zero-trust architectures effectively limit lateral movement once an initial foothold is established by requiring continuous authentication for every access request. Furthermore, network micro-segmentation strictly limits the number of hosts reachable from any single compromised machine. The researchers' test environment utilized a flat network structure; implementing even basic segmentation would substantially constrain an adaptive worm's reach.