In a new paper released yesterday, ‘AI Agents Enable Adaptive Computer Worms,’ the researchers explain that traditional worms exploit a single vulnerability—patch it, and you stop the spread. But AI agents go further: the worm they built generates tailored attack strategies, with no human intervention, by hijacking compromised machines and running open-weight LLMs to simultaneously reason and extend its reach. 

The researchers ran the worm 15 times on a simulated 33-machine corporate network. On average, in one week with zero human involvement, the worm broke into nearly three-quarters of the machines on the network, and set up a permanent presence on nearly two-thirds of them.

In addition, any LLM knowledge cutoff—a date after which they don’t know about new vulnerabilities—did not stop the worm. The researchers showed the worm could read fresh, publicly available vulnerability advisories online in real time—the same ones security teams use—and figure out how to exploit those new flaws on its own. 

Findings come after Anthropic’s Mythos wake-up call

The paper’s findings come at a nervous moment for cybersecurity. Anthropic’s recently launched Mythos model, deployed only to companies with critical software through Project Glasswing, rattled enterprise security teams by revealing just how many unpatched software vulnerabilities exist across corporate infrastructure. Now the Toronto researchers are showing what happens when autonomous generative adversaries can find their way in without humans and without without already-known exploits.

“This is bigger than Mythos in my view,” said Gary McGraw, CEO of the AI security nonprofit Berryville Institute of Machine Learning. “This shows what happens when a generic model that’s open weights can be targeted, and it just sort of grinds relentlessly, looking for bugs.” 

What’s new here, he told Fortune, is that AI has gotten so good at looking for bugs and finding exploits, that even the non-Mythos models, including smaller, open-weight LLMs, are now good enough to be the brains of a worm. 

It should be a wake-up call to the industry, said McGraw, as was the famous Morris worm of 1988—when Robert Morris Jr. created a worm at MIT, let it loose, and it rampaged across the early Internet like a wildfire. 

Nearly four decades later, agentic AI is providing the “brain” that looks for not just one bug, but any bug, he explained. Traditional worms, including important news-making ones like Heartbleed in 2014 and WannaCry in 2017, were all based on one particular bug. 

“Now, the worm can pick a target, and instead of seeing whether it has one bug that it knows about, it can just try to hack it with any bug that it can find,” he said. 

Ari Herbert-Voss, CEO of AI cybersecurity startup RunSybil and formerly OpenAI’s first security hire, agreed that this is the latest reckoning for organizations, who need to accelerate patching efforts and stay ahead of a new generation of machine-speed attacks.

“Organizations that continue to patch on human timelines will increasingly find themselves behind the curve,” he said.

Still, it is important to separate laboratory success from operational reality, pointed out Jamieson O’Reilly, an offensive security specialist and founder of red-teaming startup Dvuln. “I have no doubt that AI-driven propagation is a real and growing capability,” he said, but added that while the researchers showed the AI-powered worm could spread to intentionally vulnerable targets in a controlled environment, companies do have defensive controls, monitoring, authentication barriers and operational friction that could dramatically alter outcomes.

“I view this research as an important warning sign rather than a surprise,” he said. “AI is steadily reducing the expertise required to build autonomous offensive capabilities, and both governments and organizations should take that seriously.”

Security teams must figure out how to defend in this new era

For security teams, the answer to how to defend against the dangers of AI-powered worms is investment—specifically in fixing software, said McGraw, pointing to Mythos as a model. “The thing I love about Mythos is that people spent literally millions of dollars finding and fixing bugs,” he said. “Maybe this will get the people who weren’t involved [in Project Glasswing] to realize, we’ve got to fix our software too.”

Herbert-Voss, however, argued that this may not fundamentally be just a spending problem. Most organizations already have more vulnerabilities than they can realistically address. “The challenge is knowing what actually matters for an attacker to gain control,” he explained. “As attackers become faster and more automated, defenders need to become more precise.”

In addition, O’Reilly emphasized that defenders still have an edge as worms using local AI models for their reasoning would still have to move large model files around computer networks. That creates unusual traffic and activity that security teams could detect. However, as models improve and get smaller, that advantage will erode, he warned.

But McGraw insisted that the biggest challenge is that defenders are chronically underfunded. Most security professionals already know what they should be doing—patching software, pen testing, using AI defensively. “That costs money, and it’s an investment,” he said. “You can spend too much on security, so how much is enough? Well, the scales recently changed. Time to think about it again.”

The bottom line, McGraw insisted, may be difficult, but is uncomplicated: “Fix your damn software.”