Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models

University of Toronto researchers have developed a self-replicating AI worm operating entirely on local, open-weight language models without external AI service dependencies. The proof-of-concept demonstrates autonomous network propagation, reasoning through target systems, and generating custom attack strategies for each compromised device.

The worm operates independently using locally hosted models, removing reliance on commercial AI platforms that might detect malicious activity through API monitoring. Researchers documented the worm's ability to move laterally across networks, analyze target configurations, and craft exploitation methods tailored to each system encountered.

This work underscores a growing threat vector. As open-weight models like Llama, Mistral, and others become increasingly capable and accessible, the barrier to deploying autonomous attack infrastructure drops significantly. Threat actors need not depend on cloud-based AI services that enforce safety guardrails or maintain audit trails. A sufficiently resourced adversary can host models locally, execute unrestricted inference, and develop fully autonomous malware with no external communications.

The research carries particular implications for enterprise networks. Organizations relying on perimeter defenses face risk from worms that reason about network topology, identify high-value targets, and adapt payloads in real-time without human control loops. Traditional signature-based detection fails against dynamically generated attack patterns.

The proof-of-concept establishes technical feasibility but remains in early stages. Practical deployment still requires computational resources at compromised endpoints and successful initial infiltration. However, the research validates the architectural concept and removes skepticism about autonomous, reasoning-capable malware operating without cloud dependencies.

Organizations should assess their ability to detect anomalous model inference on endpoints, monitor for unusual computational load spikes that might indicate local model execution, and implement network segmentation that limits lateral movement velocity. Security teams face a new class of threat requiring behavioral detection rather than pattern matching.

The work was published as a pre