Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models

University of Toronto researchers have built and tested a proof-of-concept AI-driven computer worm that uses a locally hosted open-weight large language model to reason its way through a network, generate tailored attack strategies for each target it encounters, and replicate itself, all without human intervention and without touching a commercial AI service. The preprint, posted to arXiv on

The article describes University of Toronto research demonstrating a proof-of-concept self-replicating AI-driven computer worm that uses locally hosted, open-weight LLMs to autonomously discover systems, identify vulnerabilities and misconfigurations, craft tailored exploits, and propagate across a network without human intervention or reliance on commercial AI services.[1][2][3] The worm runs on modest hardware, leverages compromised machines’ GPUs to scale its own capabilities, and bypasses protections such as cloud provider content filters, rate limits, and AI safety controls.[1][2][3] From a CyberSE.AI perspective, this illustrates a concrete malicious use pattern where autonomous AI agents can chain reconnaissance, exploitation, lateral movement, and self-replication entirely within an attacker-controlled environment, making traditional AI governance and provider-side guardrails insufficient. Organizations should assume similar capabilities will be weaponized and use continuous AI-focused red teaming to test how their networks, identity controls, and AI-enabled agents withstand adaptive, LLM-powered worms that do not depend on external APIs or safety-filtered services.