san francisco: Researchers at the University of Toronto announced they have discovered a way to use artificial intelligence to create dangerous computer “worms” that can target known flaws in computers around the world and rapidly spread chaos across the Internet.
Computer scientists said in a paper published Tuesday night that the program was buildable and the prototype they created spread across a test network without human intervention.
The researchers kept the test network isolated from the public Internet. We also redacted some of the details in the paper describing how the worm was built to prevent hackers from using it as a blueprint for an attack.
But their research could raise concerns that AI is ushering in a new era of computer hacking that is difficult to defend against. There is also growing evidence that advances in AI are creating risks to computer networks that were unimaginable just a few years ago.
AI company Anthropic said in April that its latest technology, Claude Mythos, is too powerful to be released to the public because hackers could use it to exploit security holes in computer networks faster than ever before.
Anthropic limited the release of the technology to about 40 organizations that maintain critical computer infrastructure so they can patch security vulnerabilities before hackers can exploit them.
A week later, Anthropic’s biggest rival, OpenAI, announced it would restrict the release of similar technology. OpenAI shared its new system with hundreds of organizations and expanded the release to thousands of partners in the following weeks.
(The New York Times sued OpenAI and Microsoft in 2023, alleging copyright infringement of news content related to AI systems. Both companies deny these claims.)
A University of Toronto paper adds a new twist to the fear of AI. The AI technology that powers this worm is “open source” or “open weight,” meaning it’s freely shared on the internet, so no one can restrict how it can be used. The proverbial genie is out of the bottle.
“To prevent this, we need a completely secure system, and we know that’s currently not possible,” said Nicolas Papenot, a computer engineering professor at the University of Toronto who led the team that built and tested the prototype.
Papernot and his team, who published the paper on the lab’s website, were able to create what is essentially an AI-powered version of a computer worm that hackers began publishing on the Internet two decades ago. Unlike other types of computer viruses, worms spread from machine to machine on their own, without the need for human assistance.
Each of these self-replicating software programs, with names like SQL Slammer, Conficker, and Stuxnet, exploited specific vulnerabilities in computers and took control of millions of machines, stealing data, deleting files, and generally wreaking havoc.
After a decade of attacks, many computer users have learned how to quickly patch the most prominent vulnerabilities. But the threat never went away. In 2017, another worm, WannaCry, targeted another critical flaw in machines around the world, infecting more than 300,000 machines in 150 countries, holding data hostage, and demanding a ransom payment in Bitcoin.
A prototype created by researchers in Toronto takes this type of self-replicating worm one step further. By coordinating new attacks to each machine it encounters, it can quickly spread throughout the network. As Papernot explained, the worm could “infer” new attack strategies.
“This makes it significantly more difficult to stop the spread of malware,” he said. “There is no longer a single software fix that you can apply to your device to protect it from worms.”
This worm can run on computers using Windows or Linux operating systems. The worm’s complexity also means that it needs to find a more powerful machine to operate, but it can attack less powerful machines such as laptops, printers, and cameras on the same network.
Security experts are not surprised that AI can coordinate attacks. Over the past year, companies in the United States, China, and other parts of the world have built AI systems that are particularly good at writing computer code. If an AI system can write code, it may be able to exploit vulnerabilities in software applications.
But key systems from companies like Anthropic and OpenAI can’t be packaged into worms because they’re not open source and are probably too large to run on many computers. Many experts believed that open-source AI technology was not powerful enough to power self-replicating computer worms.
Some outside experts said the threat may be limited because AI systems are error-prone. “There’s usually a huge gap between what can be produced in a laboratory environment and what can cause significant harm in society,” said Dan Lahav, CEO of Irregular, a security firm that specializes in AI threats.
“AI systems tend to be unpredictable and clumsy,” he added. “They do strange things that can trigger security defenses.”
But Rahaf also cautioned that AI will continue to evolve. This means businesses need to patch as many software vulnerabilities as possible, and AI can help them do that.
As such, researchers say Mythos needs to be shared with a broader group so that Anthropic can use it to combat AI threats. Anthropic announced Tuesday that it will share its technology with an additional 150 organizations.
“Ultimately, the best thing to do is to distribute it more widely so that people can take advantage of the technology and fix the vulnerability,” said David Lee, a computer science professor at the University of Toronto who reviewed the paper but was not part of the team that built the worm. – ©2026 The New York Times Company
This article was originally published in The New York Times.
