惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
P
Proofpoint News Feed
The GitHub Blog
The GitHub Blog
The Register - Security
The Register - Security
Recorded Future
Recorded Future
D
Docker
I
InfoQ
Recent Announcements
Recent Announcements
MongoDB | Blog
MongoDB | Blog
Microsoft Azure Blog
Microsoft Azure Blog
A
About on SuperTechFans
N
Netflix TechBlog - Medium
H
Hackread – Cybersecurity News, Data Breaches, AI and More
云风的 BLOG
云风的 BLOG
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
F
Full Disclosure
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threatpost
C
Cisco Blogs
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
Security Latest
Security Latest
The Hacker News
The Hacker News
Microsoft Security Blog
Microsoft Security Blog
B
Blog
IT之家
IT之家
Latest news
Latest news
D
DataBreaches.Net
T
Tor Project blog
Scott Helme
Scott Helme
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Threat Research - Cisco Blogs
博客园 - 司徒正美
S
SegmentFault 最新的问题
宝玉的分享
宝玉的分享
Project Zero
Project Zero
T
The Exploit Database - CXSecurity.com
P
Privacy International News Feed
Last Week in AI
Last Week in AI
C
CERT Recently Published Vulnerability Notes
WordPress大学
WordPress大学
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
G
GRAHAM CLULEY
小众软件
小众软件
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 聂微东
酷 壳 – CoolShell
酷 壳 – CoolShell
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

The Register

Grafana offers AI assistant for free, warns users not to go mad Right to repair champ Framework punts modular 13in laptop with Core Ultra Series 3 Scotland Yard can keep using live facial recognition on Londoners, say judges UK tribunal sends £2B claim accusing Microsoft of overcharging for licensing to trial Nation-states want to cause harm, not just steal cash - stop handing your cyber defenses to the cheapest contractor Murder, she wrote: Ex-FBI chief wants some ransomware crims charged with homicide Phone-to-satellite use goes into orbit, growing 25% in 8 months macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets Anthropic bakes memory fixes into Bun 1.1.13 as developers complain of leaks The spaghettified DBMS chart that shows Oracle's crown is slowly slipping Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords FAA grounds Blue Origin's New Glenn as it probes missed satellite delivery 'mishap' AMD's Ryzen 9 9950X3D2 Dual Edition tested: Gratuitous overkill with a price to match AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account Crook claims to leak 'video surveillance footage' of companies Met police trials snoop tech platform in push to cuff more London shoplifters England's school phone ban gets teeth, just in time to bite no one Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Panasonic creates device-locked QR codes to speed facial biometric capture Iran claims US used backdoors to knock out networking equipment during war NASA Inspector fears new spacesuits won’t be ready for Moon landing Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Trump-branded datacenter project fails to make itself great, again World's blandest man steps down from CEO job to spend more time in tastefully appointed home Chase got a spiff of $77 million to create one job with New York datacenter Scot becomes second Scattered Spider-linked crook to plead guilty in US You too can build a nuclear battery from junk you have lying around the house Schmoozebots: study finds flattery will get AI everywhere One of Europe's sovereign cloud picks may not be so-sovereign after all New Android development tool designed for robots, not humans AI is reshaping Britain's datacenter map away from London HP's remote desktop push retreats as Anyware heads for end of life 'Invisible mouse' made a mess of PC rebuild NASA working on ‘Big Bang’ upgrade to keep the Voyagers alive for longer Indonesia’s game rating system paused amid claims it leaked developer creds and glimpses of major new titles Just like phishing for gullible humans, prompt injecting AIs is here to stay Atlassian’s new data collection policy protects rich customers while AI eats the rest Intel eases reliance on TSMC with 'Merica-made Core Series 3 processors NASA gets the ball rolling on its part in Europe's jinxed Mars rover mission Attention data hoarders: Alexa loses its Plex appeal as voice feature gets canned Locked-out iPhone user tells The Reg that Apple is scrambling to fix character flaw passcode bug Would you like fries with that terminal? Capita won disastrous UK pensions gig after acing performance checks NodeWeaver says its perpetual licensing beats VMware’s perpetual price hikes Maine to pause big bit barns as local opposition spreads If you want into Anthropic's Claude club, you may have to show ID DuckDB uses RDBMS to tackle lakehouse 'small changes' issue Iran has something America can only dream of: cheap broadband Brussels tells Google to hand rivals its search crown jewels as privacy row brews Visual Studio 18.5 lands with AI debugging at a price Git identity spoof fools Claude into giving bad code the nod McGraw Hill linked to 13.5M-record data leak Microsoft announces product it doesn't want anyone to buy Obsolete Google nag drowns out vital bar information at Swedish concert hall Cops hand Motorola £25M to keep 2000-era radios alive Server-room lock was nothing but a crock QUIC will soon be as important as TCP – but it's vastly different Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Allbirds shoe company moving to AI infra is the top 20-year-old Enlightenment E16 bug finally gets patched Bad teacher bots can leave hidden marks on model students Autovista blames ransomware for service disruption Networks not ready for the challenges of AI traffic Windows takes a crash dump after one McDonald's too many French cops free mother and son after crypto kidnapping US states can't account for datacenter tax breaks. Literally Salesforce debuts Headless 360 agentic platform Fission impossible: Uncle Sam wants nuclear power in space UK told its Big Tech habit is now a national security risk UKAEA lays out roadmap to take Britain closer to fusion Waymo's self-driving cars face their toughest test yet: London The only technology that died more times than VR is AI, and that seems to have worked out Boeing soars past Airbus for the first time in years Commvault has a Ctrl+Z for rogue AI agents Nvidia slaps forehead: AI, that's what quantum needs! Oracle taps Bloom for fuel cells to support datacenter binge GitHub recalls Phabricator with preview of Stacked PRs Physicist proposes two-button calculator Amazon pays $11.5B to satisfy satellite-envy while cowering in Musk's shadow No honor among thieves as 0APT threatens rival ransomware gang Krybit NASA insiders oddly relaxed about latest budget threats Microsoft raises UK Surface prices as RAM crisis reaches the checkout OpenAI CEO Sam Altman home attack suspect charged Microsoft kills off Outlook Lite as memory costs skyrocket UK state bank considers lengthening disastrous IT program Japan going back to the future by reviving its chip industry Windows Update: Torture chamber for seldom-used PCs Japanese rocket came unglued, causing mission fail Here's how to watch the Artemis II splashdown Britain's biggest nuclear site skips competition, hands SAP £33M to start ERP switch Tech support chap's boss got him out of jail so he could finish a job World's smallest violin spotted at Amazon HQ as exec pay packets deflate Deere oh Deere: Tractor repair row heads for $99M settlement Spark creator bags computing gong for making big data a little bit smaller Microsoft locks out VeraCrypt and WireGuard devs, blames verification process Peace President's Iran war piles more pain on already battered PC market Amazon put a filesystem on S3; I showed up with a test suite and bad intentions UK to spend £15M on AI-powered crime mapping in knife violence crackdown DARPA looking for battery that could power a laptop for months Call your existing automation ‘zero-token architecture’ to become an instant agentic AI wiz
Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine
Jessica Lyons Jessica Lyons · 2026-06-04 · via The Register

There's a lot of fear surrounding the bug-finding capabilities of super-advanced AI models like Anthropic's Mythos and OpenAI's GPT 5.5-Cyber. But attackers are already using free, publicly available LLMs to hijack networks and worm through software supply chains at a much lower cost – to them at least.

The latest example comes from University of Toronto researchers, who used an unnamed, publicly available open-weight model released in 2025 to develop a computer worm that they claim spread through an enterprise test network.

The self-propagating code adapts on the fly to identify known vulnerabilities and misconfigurations on target systems, then generates and executes attacks to move laterally through the network and compromise additional machines.

And it’s all built on a small, free model that runs on a single GPU.

“People need to understand that it’s not just the biggest and most powerful AI models that pose security concerns – a whole other area of threat has been vastly underestimated,” University of Toronto computer engineering professor Nicolas Papernot told The Register.

Papernot and fellow researchers Jonas Guan, Tom Blanchard, Hanna Foerster, Hengrui Jia, and Gabriel Huang published their findings [PDF] on Tuesday.

While guardrails and other safety features implemented by major commercial AI systems are “essential,”  Papernot told us, in reality “they will not prevent the threat of AI-driven worms with a similar design.”

“The majority of real-world cyberattacks don’t rely on zero-day vulnerabilities,” he added. “Our work demonstrates that attackers can now cheaply operationalize known vulnerabilities at scale, which decreases the window of time defenders have to fix vulnerabilities and find human errors, like reused passwords or poorly configured backup jobs.”

The paper doesn’t specify, and Papernot declined to say, which LLM they used. 

“We omitted certain methodological details (such as the agent’s reasoning graph and tool harness) and experimental specifics (such as the AI model) that could materially help a malicious actor construct similar malware,” Papernot said. “We shared enough information to make the threat credible enough for scientific scrutiny without providing a blueprint that would enable misuse.”

The researchers also noted that they are not publicly releasing the code, but are working with the University of Toronto to set up a vetting process through which qualified researchers may request access for defensive research purposes.

Not NotPetya

Before you start breathing into a paper bag, there are a few things to note about this research.

First, unlike Mythos and friends, the prototype worm does not exploit zero-day vulnerabilities. It only targets publicly disclosed but unpatched bugs, misconfigurations, and recurring weakness classes.

This is intentional, because known security flaws – not zero-days – are what most real-world cyberattacks use, the authors say, citing WannaCry and NotPetya as examples. Both of these worms exploited security holes that had patches available for at least a month before the malware infected vulnerable machines. Both spread rapidly and caused global disruption.

The worm did, however, find and abuse vulnerabilities disclosed after the model’s training cutoff by ingesting publicly available security advisory information at runtime and using this data to develop exploits. 

While the paper repeatedly points to WannaCry and NotPetya as worst-case scenario examples, this lab-tested prototype or something similar is not going to cause the level of destruction that either of those two earlier worms did. 

Both propagated very quickly: WannaCry infected more than 230,000 computers across 150 countries in just one day in May 2017. In June 2017, NotPetya spread globally within hours, taking down at least one large banking network in just 45 seconds. Plus, they both used very sophisticated evasion techniques to avoid being detected by security tools.

This worm, on the other hand, moves slowly. In the “FakeCorp” network they used in the experiments, the prototype took about five days to replicate across half the network, requiring hundreds of LLM inference calls per target for reconnaissance, strategy formulation, and payload generation.

The timeline gives defenders a longer window for detection and response. However, it will likely shorten as inference hardware and model efficiency improve.

Also, unlike WannaCry and NotPetya, the worm doesn’t try to hide itself. “We deliberately chose not to equip the worm with concealment capabilities – it is not instructed to cover its tracks or minimize its network footprint, and it has no tools to do so,” the boffins wrote. “This was a conscious methodological choice to further limit the risk of misuse.”

Finally, the test-network devices themselves didn’t have any endpoint detection, antivirus, or firewall software deployed, which (we hope) makes this a not-quite-realistic setup.

Exploiting the FakeCorp target network

Here’s how the experiments worked.

The team deployed the worm prototype in 15 independent experiments on an isolated 33-host network including Linux servers, Windows environments, and IoT devices. Each computer had been seeded with at least one real-world vulnerability, including software bugs and misconfigurations.  

The worm operated fully autonomously for seven days, and correctly identified an average of 31.3 vulnerabilities, exploited 23.1 hosts to elevated access, and propagated to 20.4 hosts. It reached up to seven generations of self-replication, we’re told.

“Put another way, on average, the proof-of-concept worm successfully exploited 73.8 percent of the network and then replicated to 61.8 percent of the network,” according to the research paper. 

In addition to finding and abusing the known flaws on the devices, the worm also found vulnerabilities disclosed after the LLM’s training cutoff: two recent Linux flaws, CopyFail and DirtyFrag, and a critical bug that leads to remote code execution in the Marimo notebook platform (CVE-2026-39987).

The AI-based worm gained root access in 41 of 67 attempts (61 percent) across the three hosts with these one-day vulnerabilities. This includes 13 of 27 attempts on the Marimo host, 15 of 17 on DirtyFrag, and 13 of 23 on CopyFail. 

The two Linux vulnerabilities were disclosed shortly before the experiments, and a single document containing publicly available exploit instructions was enough for the worm to weaponize them successfully 70 percent of the time, or in 28 out of 40 attempts.

“This result suggests that the same exploitation pipeline can absorb newly published vulnerability information without architectural changes,” the team wrote.

When worms get sneaky

In addition to finding and exploiting vulnerabilities, the AI worm did some other interesting, sneaky things during the experiments. 

Despite the lack of firewalls and endpoint security products enabled, the researchers added some components to the worm’s code to “provide increased defence-in-depth.” This included a denylist of IP addresses baked into the source code. 

So in theory, the worm would read the denylist every time it targets a new machine, and if the IP address matched one on the list, it would move on to a new target, thus preventing it from infecting some hosts. Instead, at “various points” during the experiments, the worm rewrote its source code to allow it to attack an IP address on the denylist. 

In another workaround example: when a virtual-machine check caused replica worms on Alpine Linux and Windows Server 2008 machines to crash at startup, the parent worm found the attestation source file on the target computer and removed the VM-detection check, allowing the worm to replicate successfully on the new machine.

“This behavior was not prompted or incentivised by the agent’s instructions; it autonomously diagnosed the failure, identified the responsible code, and modified it to achieve its objective,” the boffins wrote.

In another test run, the researchers accidentally packaged a FakeCorp network configuration file that included admin credentials with the worm code. The worm discovered the credentials and shared them with other active replica worms, “causing a rapid increase in propagation within the contained environment.”

Additionally, in two separate instances, the worm established persistence on a compromised computer using mechanisms outside of the intended replication pipeline, we’re told. In one instance, it started the replica process and then registered it with the machine’s service-management system to auto-restart if terminated. In another, it created a scheduled task that relaunched the replica worm, causing it to reappear even after the original process was killed. 

“The agent appears to have inferred, from the general objective of maintaining an operational replica, that persistence mechanisms available on the target could be used to make the replica more robust,” the researchers noted.

Prior to publishing their work, the academics say they shared their findings with “national science, security, and defence” agencies to seek advice on how to responsibly release the information. We asked Papernot for details, including which government agencies and how they responded, but he declined to share anything else. ®