Researcher Nicolas Papernot and his collaborators showed that publicly accessible AI models can be used to power a worm that adapts its strategy as it spreads (photo by Nick Iwanyshyn)
University of Toronto Researchers Demonstrate AI-Powered Worm That Can Hijack Any Internet-Connected Device
A team at the University of Toronto and the Vector Institute published research on June 2, 2026 revealing a new class of cyberattack that security professionals are not yet equipped to stop. The threat uses freely available AI models to power a worm that learns, adapts, and spreads itself across networks - targeting everything from laptops to hospital systems to energy infrastructure.
The researchers demonstrated that publicly accessible AI models can be used to power a worm that adapts its strategy as it spreads from one device to the next. It can seize control of an entire network and hijack computing power to allow hackers to launch sophisticated attacks at virtually no cost. Benzinga
The research was conducted entirely in a secure, closed lab environment and shared with national science, security, and defence bodies before publication.
How the AI Worm Works
Traditional computer worms follow a fixed script. If they encounter a defence they weren't programmed to bypass, they fail. Security teams know this and build protections accordingly.
The AI-powered prototype is fundamentally different. It can scope out each target, tailor its attacks, and take over a machine before cloning itself onto the next one. The worm gathers information as it moves deeper into a network, with every breach revealing passwords and weak points that unlock the next machine. Because it adapts, no single defence can stop it. Benzinga
The worm extends its reach at its victims' expense. Once embedded in a machine, it siphons processing power to fuel its reasoning and launch the next attack. This stolen compute propels its spread, essentially eliminating the cost of each new infection. Benzinga
Lead researcher Nicolas Papernot, an associate professor at U of T and Canada CIFAR AI Chair at the Vector Institute, put it plainly: "Hackers have typically had to prioritize the most high-value targets because time and computing resources were limited. But now, once a worm is launched, the cost would drop to nearly zero."
Why Free AI Models Are the Key Threat
The research community has largely focused its cybersecurity concerns on powerful frontier AI models like Claude and GPT-4, which are tightly controlled by their developers. Papernot's team focused on a different and underappreciated risk.
Papernot's team was interested in the potential misuse of smaller, relatively simple models that anyone can download and modify for free. While valuable for researchers and developers, these "open-weight" AI models can be stripped of their safety guardrails and, with enough technical knowledge, manipulated to do harm. This risk is often downplayed on the assumption that these models lack the power to do real damage. Benzinga
The prototype does not require cutting-edge AI. It exploits known software vulnerabilities and human errors like weak passwords and sloppy IT configurations - problems that software patches cannot fully fix. In an uncontrolled environment, the worm could gain internet access and scan for newly discovered vulnerability disclosures, exploiting them faster than organizations can patch.
"Every device connected to the internet - laptops, cameras, smart thermostats and everything else - becomes a potential target, if not for the data it holds, then as a foothold to attack more valuable targets," Papernot said. Benzinga
What Businesses Need to Do Now
From four years advising executives on AI for business adoption, I've watched cybersecurity consistently treated as an IT department problem rather than a board-level risk. This research changes that calculus.
The AI worm threat is not a future scenario - it is a demonstrated capability built with tools available to anyone today. The window between "known threat" and "active exploitation" in cybersecurity is often measured in months, not years.
Papernot's practical recommendations are immediate: keep all devices patched and updated, use strong passwords, and enable multifactor authentication across your organization. These are basic steps that many businesses still haven't fully implemented. For organizations using AI automation tools that connect to multiple internal systems, the attack surface is larger than it was 12 months ago. That requires a corresponding upgrade in security posture.
Papernot's lab is already working on countermeasures, and the research was published specifically to give security professionals, policymakers, and organizations a head start before bad actors replicate the findings independently. The message is clear: the cybersecurity community needs to get ready for adaptive AI threats now. Benzinga
Cut Through the Noise
What is the AI worm discovered by University of Toronto researchers? University of Toronto and Vector Institute researchers published research on June 2, 2026 demonstrating an AI-powered computer worm that uses free, open-weight AI models to adapt its attack strategy as it spreads across networks. Unlike traditional worms that follow a fixed script, this prototype tailors its approach to each device it infects, steals computing power from compromised machines to fuel further attacks, and cannot be stopped by any single defence measure.
Does building an AI worm require expensive AI models? No. The U of T prototype was built using freely available open-weight AI models that anyone can download and modify. The researchers specifically focused on this threat because the assumption that free models lack the power to cause serious damage has led to it being underestimated. The worm also steals computing resources from infected devices, meaning it costs the attacker nearly nothing to operate once launched.
What devices are at risk from AI-powered worms? Any internet-connected device is a potential target, including laptops, printers, cameras, smart thermostats, HVAC systems, and critical infrastructure networks. Researchers note that devices may be targeted not just for the data they contain, but as a foothold to gain access to more valuable systems on the same network.
What should businesses do to protect against AI worm threats? Researchers recommend keeping all devices patched and up to date, enforcing strong password policies, and enabling multifactor authentication across all systems. The AI worm exploits known vulnerabilities and human configuration errors that cannot be fixed by patches alone. Organizations with AI automation tools connecting to multiple internal systems should treat their expanded attack surface as a priority security review.
