Bottom line: Locally deployed open-source language models enable autonomous attack worms when equipped with appropriate agent architectures, independent of paid frontier models.
Security researchers at the University of Toronto have developed an AI-driven computer worm that autonomously spreads through simulated networks using a free local language model. The demonstration shows: attackers do not need highly specialized AI models to exploit existing security vulnerabilities and misconfigurations in enterprise environments.
Researchers from the CleverHans Lab at the University of Toronto have developed an AI-assisted worm prototype that searches CVE databases, analyzes network configurations, and independently identifies and exploits security vulnerabilities — both known and newly published weaknesses. The worm copies itself to additional systems and can exfiltrate data or launch additional attacks. The experiment was conducted in a simulated network environment encompassing various Ubuntu, Debian, Alpine, Rocky Linux, and CentOS versions.
The core focus of the research is that attackers do not need state-of-the-art frontier models like Claude Opus or GPT 5.5. Such models are accessible via APIs and enforce safety guardrails that would block suspicious prompts. Locally deployed, freely available language models, by contrast, run on proprietary hardware without such restrictions. This makes them more attractive for autonomous malware: neither API dependency nor telemetry logging occurs.
The researchers compensated for the limitations of local models — smaller context windows, weaker agent capabilities — through a specialized harness architecture. This architecture breaks tasks into phases and steps, coordinates multiple specialized sub-agents in parallel, and manages insights centrally through a hierarchical memory system, similar to Markdown files or databases. Additional components include tool handlers that execute pentesting commands and a skill system that injects context-dependent attack vectors.
Such agent harnesses are not new in security research. Open examples like RAPTOR for Claude or SecOpsAgentKit demonstrate that earlier model generations with appropriate engineering can achieve capabilities similar to today’s frontier models. Gadi Evron, CEO of AI security company Knostic and co-developer of RAPTOR, confirms: new harnesses emerge every time more powerful models become available — this is a continuous arms race.
For CISOs, the message is critical: the threat from AI-driven attacks does not depend on Mythos or other frontier models, but on the combination of locally available models, established agent architecture, and the prevalence of unpatched vulnerabilities and misconfigurations such as password reuse across the network. There is no single measure against this threat.
Source: www.csoonline.com · Published 9 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.