惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News - Newest:
Hacker News - Newest: "LLM"
S
SegmentFault 最新的问题
The Cloudflare Blog
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Privacy & Cybersecurity Law Blog
有赞技术团队
有赞技术团队
www.infosecurity-magazine.com
www.infosecurity-magazine.com
雷峰网
雷峰网
Google DeepMind News
Google DeepMind News
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threatpost
The Hacker News
The Hacker News
人人都是产品经理
人人都是产品经理
阮一峰的网络日志
阮一峰的网络日志
大猫的无限游戏
大猫的无限游戏
L
Lohrmann on Cybersecurity
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
博客园 - 叶小钗
量子位
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Simon Willison's Weblog
Simon Willison's Weblog
I
Intezer
S
Secure Thoughts
V
V2EX
Apple Machine Learning Research
Apple Machine Learning Research
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
Microsoft Azure Blog
Microsoft Azure Blog
博客园_首页
Help Net Security
Help Net Security
爱范儿
爱范儿
C
Cybersecurity and Infrastructure Security Agency CISA
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
C
Check Point Blog
WordPress大学
WordPress大学
Last Week in AI
Last Week in AI
T
Tor Project blog
NISL@THU
NISL@THU
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
InfoQ
The Register - Security
The Register - Security
Recent Announcements
Recent Announcements
N
News and Events Feed by Topic
B
Blog RSS Feed

The Register - Special Features

Troops’ phones gave away location data to foreign adversaries Qualcomm picks bad time to pitch a $300 laptop platform AI agents get their own phone directory built atop DNS Carnival confirms ShinyHunters cruised off with 6M customer records after April breach Google engineer accused of turning Year in Search secrets into Polymarket payday Are we human? India's cyber agency sets clock at 12 hours to tackle exploited bugs as AI turns up the heat Broadcom gets early start on WiFi 8 with next-gen wireless routing kit Are we human? Microsoft Excel champ proves he still has the formula Anthropic co-founder hallucinates ghost in the machine Anthropic co-founder hallucinates ghost in the machine NASA plans Moon Base buildout with rovers, drones, cargo landers MyPillow must decide whether to be firm or soft as ransomware crims demand pay Starship shows it can deploy satellites, but Moon mission clock still ticks Huawei's chip law looks less like Moore and more like marketing Experts pour cold borscht on Farage's Russian hack claim Logitech unveils a cushioned mouse for all-day use AI eyes scanning for bugs create a worrisome Linux security trend A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets AI datacenter boom collides with US grid reality Media giant settles for $930k amid user-snooping allegations AT&T sues to ditch Cali copper phone lines to save billions FBI warns of Kali365 as device code phishing soars Techie claims Trump Mobile website was leaking thousands of people's data BOFH: Vibe-coded solutions arrive for problems nobody has Dems slam Trump for making cybersecurity hold out the tin cup while splurging on ballroom and Jan. 6 'slush fund' Google explains how it will infuse ads into AI answers AI is getting pricey, but relief is coming, but not for you Deus ex machina: Half of US Christians trust AI's spiritual advice Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach Apple adds AI smarts to Voice Control, VoiceOver and Magnifier ahead of Accessibility Day Microsoft open-sources agentic AI safety tools OpenAI wants upfront cash for guaranteed AI capacity Fedora: Microsoft is all aboard, but Deepin is dumped Bye-bye, Gemini CLI; Google nudges devs toward Antigravity Plex appeal fades as Lifetime Pass jumps to $750 AI sackings reach New Zealand, which will use it to eject 14 percent of government staff Anthropic’s Stainless steal tightens grip on AI dev tooling Are we human? Google touts tokenmaxxing, huge capex, and AI agents at I/O America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens – and incredibly obvious filenames America's top cyber-defense agency left a GitHub repo open with passwords, keys, tokens – and incredibly obvious filenames Shadow AI invades the workplace, up 4x in the last year Microsoft refreshes Surface for Business lineup, starts AI PC upsell at $1,499 Broadcom finds a VMware customer willing to stick around: London Stock Exchange 468k records allegedly stolen from Portugal’s postal carrier Baidu says the quiet part out loud – you can’t build AI infrastructure, so clouds can cash in Shai-Hulud copycat worm infects yet another npm package Uncle Sam's next big super might not use GPUs Are we human? Datacenters slurping up so much juice they boosted prices 75% in largest US energy market MPs want social media treated more like unsafe toys than harmless apps Cerebras’ wafer-scale AI bet delivers blockbuster IPO Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Anthropic tosses agents into the API billing pool Jen Easterly, cybersecurity's 'relentless optimist,' hopes feds come back to RSAC next year Jen Easterly, cybersecurity's 'relentless optimist' Smooth criminals talking their way into cloud environments, Google says Voice phishing skyrockets as smooth crims talk their way in RSAC 2026: Uncle Sam backs out, AI agents everywhere RSAC 2026: Uncle Sam backs out, AI agents everywhere Decoding Nvidia's Groq-powered LPX and the rest of its new rack systems A closer look at Nvidia's Groq-powered LPX rack systems Nvidia slaps $20B Groq tech into massive new LPX racks to speed AI response time Nvidia slaps Groq into new LPX racks for faster AI response AI Burning Man happens next week – what to expect at Nvidia GTC 2026 Nvidia GTC 2026: What to expect at AI Burning Man Unaccounted-for AI agents are being handed wide access Unaccounted-for AI agents are being handed wide access Google to foist Gemini pane on Chrome users Google to foist Gemini pane on Chrome users Yes, you can build an AI agent – here's how, using LangFlow How to build an AI agent using LangFlow Clawdbot becomes Moltbot, but can’t shed security concerns Clawdbot becomes Moltbot, but can’t shed security concerns Gartner questions if Salesforce AI will stay all-you-can-eat Gartner questions if Salesforce AI will stay all-you-can-eat Claude supports MCP Apps, presents UI within chat window Claude supports MCP Apps, presents UI within chat window Cursor is better at marketing than coding Cursor is better at marketing than coding Feds skipping infosec industry's biggest conference, RSAC AI is rewriting how power flows through the datacenter All aglow about DCs, investors launch $300M at microreactor startup Radiant bags $300M-plus to commercialize its microreactors Why do bit barns keep bumping up our bills, Senators ask DC operators Senate trio questions DC operators over rising energy costs Building the AI factory datacenter Delays? What delays? Oracle insists its $300B cloud contract with OpenAI is on track Oracle insists its $300B contract with OpenAI is on schedule Salesforce willing to lose money on AI to lock in customers Salesforce willing to lose money on AI to lock in customers Galactic Brain space datacenter coming in 2027, pledges startup Aetherflux Galactic Brain space datacenter promised in 2027 Activist groups urge Congress to pause datacenter buildouts Activist groups urge Congress to pause datacenter buildouts Bezos-backed Unconventional AI addresses datacenter power Bezos-backed Unconventional AI addresses datacenter power AWS re:Invent keynote: Matt Garman bores, then thrills
Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine
Jessica Lyons Jessica Lyons · 2026-06-04 · via The Register - Special Features

There's a lot of fear surrounding the bug-finding capabilities of super-advanced AI models like Anthropic's Mythos and OpenAI's GPT 5.5-Cyber. But attackers are already using free, publicly available LLMs to hijack networks and worm through software supply chains at a much lower cost – to them at least.

The latest example comes from University of Toronto researchers, who used an unnamed, publicly available open-weight model released in 2025 to develop a computer worm that they claim spread through an enterprise test network.

The self-propagating code adapts on the fly to identify known vulnerabilities and misconfigurations on target systems, then generates and executes attacks to move laterally through the network and compromise additional machines.

And it’s all built on a small, free model that runs on a single GPU.

“People need to understand that it’s not just the biggest and most powerful AI models that pose security concerns – a whole other area of threat has been vastly underestimated,” University of Toronto computer engineering professor Nicolas Papernot told The Register.

Papernot and fellow researchers Jonas Guan, Tom Blanchard, Hanna Foerster, Hengrui Jia, and Gabriel Huang published their findings [PDF] on Tuesday.

While guardrails and other safety features implemented by major commercial AI systems are “essential,”  Papernot told us, in reality “they will not prevent the threat of AI-driven worms with a similar design.”

“The majority of real-world cyberattacks don’t rely on zero-day vulnerabilities,” he added. “Our work demonstrates that attackers can now cheaply operationalize known vulnerabilities at scale, which decreases the window of time defenders have to fix vulnerabilities and find human errors, like reused passwords or poorly configured backup jobs.”

The paper doesn’t specify, and Papernot declined to say, which LLM they used. 

“We omitted certain methodological details (such as the agent’s reasoning graph and tool harness) and experimental specifics (such as the AI model) that could materially help a malicious actor construct similar malware,” Papernot said. “We shared enough information to make the threat credible enough for scientific scrutiny without providing a blueprint that would enable misuse.”

The researchers also noted that they are not publicly releasing the code, but are working with the University of Toronto to set up a vetting process through which qualified researchers may request access for defensive research purposes.

Not NotPetya

Before you start breathing into a paper bag, there are a few things to note about this research.

First, unlike Mythos and friends, the prototype worm does not exploit zero-day vulnerabilities. It only targets publicly disclosed but unpatched bugs, misconfigurations, and recurring weakness classes.

This is intentional, because known security flaws – not zero-days – are what most real-world cyberattacks use, the authors say, citing WannaCry and NotPetya as examples. Both of these worms exploited security holes that had patches available for at least a month before the malware infected vulnerable machines. Both spread rapidly and caused global disruption.

The worm did, however, find and abuse vulnerabilities disclosed after the model’s training cutoff by ingesting publicly available security advisory information at runtime and using this data to develop exploits. 

While the paper repeatedly points to WannaCry and NotPetya as worst-case scenario examples, this lab-tested prototype or something similar is not going to cause the level of destruction that either of those two earlier worms did. 

Both propagated very quickly: WannaCry infected more than 230,000 computers across 150 countries in just one day in May 2017. In June 2017, NotPetya spread globally within hours, taking down at least one large banking network in just 45 seconds. Plus, they both used very sophisticated evasion techniques to avoid being detected by security tools.

This worm, on the other hand, moves slowly. In the “FakeCorp” network they used in the experiments, the prototype took about five days to replicate across half the network, requiring hundreds of LLM inference calls per target for reconnaissance, strategy formulation, and payload generation.

The timeline gives defenders a longer window for detection and response. However, it will likely shorten as inference hardware and model efficiency improve.

Also, unlike WannaCry and NotPetya, the worm doesn’t try to hide itself. “We deliberately chose not to equip the worm with concealment capabilities – it is not instructed to cover its tracks or minimize its network footprint, and it has no tools to do so,” the boffins wrote. “This was a conscious methodological choice to further limit the risk of misuse.”

Finally, the test-network devices themselves didn’t have any endpoint detection, antivirus, or firewall software deployed, which (we hope) makes this a not-quite-realistic setup.

Exploiting the FakeCorp target network

Here’s how the experiments worked.

The team deployed the worm prototype in 15 independent experiments on an isolated 33-host network including Linux servers, Windows environments, and IoT devices. Each computer had been seeded with at least one real-world vulnerability, including software bugs and misconfigurations.  

The worm operated fully autonomously for seven days, and correctly identified an average of 31.3 vulnerabilities, exploited 23.1 hosts to elevated access, and propagated to 20.4 hosts. It reached up to seven generations of self-replication, we’re told.

“Put another way, on average, the proof-of-concept worm successfully exploited 73.8 percent of the network and then replicated to 61.8 percent of the network,” according to the research paper. 

In addition to finding and abusing the known flaws on the devices, the worm also found vulnerabilities disclosed after the LLM’s training cutoff: two recent Linux flaws, CopyFail and DirtyFrag, and a critical bug that leads to remote code execution in the Marimo notebook platform (CVE-2026-39987).

The AI-based worm gained root access in 41 of 67 attempts (61 percent) across the three hosts with these one-day vulnerabilities. This includes 13 of 27 attempts on the Marimo host, 15 of 17 on DirtyFrag, and 13 of 23 on CopyFail. 

The two Linux vulnerabilities were disclosed shortly before the experiments, and a single document containing publicly available exploit instructions was enough for the worm to weaponize them successfully 70 percent of the time, or in 28 out of 40 attempts.

“This result suggests that the same exploitation pipeline can absorb newly published vulnerability information without architectural changes,” the team wrote.

When worms get sneaky

In addition to finding and exploiting vulnerabilities, the AI worm did some other interesting, sneaky things during the experiments. 

Despite the lack of firewalls and endpoint security products enabled, the researchers added some components to the worm’s code to “provide increased defence-in-depth.” This included a denylist of IP addresses baked into the source code. 

So in theory, the worm would read the denylist every time it targets a new machine, and if the IP address matched one on the list, it would move on to a new target, thus preventing it from infecting some hosts. Instead, at “various points” during the experiments, the worm rewrote its source code to allow it to attack an IP address on the denylist. 

In another workaround example: when a virtual-machine check caused replica worms on Alpine Linux and Windows Server 2008 machines to crash at startup, the parent worm found the attestation source file on the target computer and removed the VM-detection check, allowing the worm to replicate successfully on the new machine.

“This behavior was not prompted or incentivised by the agent’s instructions; it autonomously diagnosed the failure, identified the responsible code, and modified it to achieve its objective,” the boffins wrote.

In another test run, the researchers accidentally packaged a FakeCorp network configuration file that included admin credentials with the worm code. The worm discovered the credentials and shared them with other active replica worms, “causing a rapid increase in propagation within the contained environment.”

Additionally, in two separate instances, the worm established persistence on a compromised computer using mechanisms outside of the intended replication pipeline, we’re told. In one instance, it started the replica process and then registered it with the machine’s service-management system to auto-restart if terminated. In another, it created a scheduled task that relaunched the replica worm, causing it to reappear even after the original process was killed. 

“The agent appears to have inferred, from the general objective of maintaining an operational replica, that persistence mechanisms available on the target could be used to make the replica more robust,” the researchers noted.

Prior to publishing their work, the academics say they shared their findings with “national science, security, and defence” agencies to seek advice on how to responsibly release the information. We asked Papernot for details, including which government agencies and how they responded, but he declined to share anything else. ®