The cybersecurity landscape is bracing for a new type of autonomous threat: the generative AI worm. Far from a theoretical concept, researchers have demonstrated the first proof-of-concept worm, dubbed “Morris II,” highlighting a critical vulnerability in the interconnected web of AI agents and services. This emerging threat can spread from one system to another, exfiltrating data and deploying malware without human intervention, signaling a paradigm shift in how we must approach AI security.

Unlike traditional malware that exploits code vulnerabilities, an AI worm exploits the very nature of large language models (LLMs). It uses what are known as “adversarial self-replicating prompts” to attack generative AI models, such as those powering ChatGPT or Gemini. These prompts are carefully crafted inputs that trick the AI into performing malicious actions, including revealing confidential data or even replicating the malicious prompt itself in its outputs to infect other connected systems.

How Do Generative AI Worms Propagate and Attack?

The attack vector for an AI worm is remarkably insidious. Imagine an AI-powered email assistant designed to scan your emails and summarize them. A threat actor could send an email containing a malicious self-replicating prompt hidden within the text or an image. When the AI assistant processes this email, the worm triggers. The proof-of-concept, Morris II, demonstrated two primary attack methods:

1. Data Exfiltration: The malicious prompt can command the AI model to search for and extract sensitive information from the email content it is scanning. This data, such as names, phone numbers, credit card details, or internal passwords, is then sent to a server controlled by the attacker.

2. Self-Propagation: The most dangerous feature is its ability to spread. The worm can instruct the compromised AI assistant to forward the malicious email or embed the adversarial prompt into replies sent to other contacts. This creates a chain reaction, allowing the worm to rapidly propagate through an organization’s network or across a user’s entire digital ecosystem, all by manipulating the generative AI tools themselves.

The Real-World Impact and Future of AI-Powered Threats

The implications of a fully developed AI worm are profound. While Morris II was a controlled experiment, it showcases a future where cyberattacks are fully automated and can spread at machine speed. The primary risk lies with the growing ecosystem of AI agents that have permissions to interact with other applications like email clients, cloud storage, and messaging platforms. A single compromised agent could potentially launch a widespread, automated phishing campaign or exfiltrate massive amounts of data from connected services like Gmail and OneDrive before it’s ever detected.

As organizations increasingly integrate GenAI into their core workflows, developers and security teams must race to build new defenses. This includes more robust input filtering to detect and neutralize adversarial prompts, sandboxing AI agents to limit their permissions, and developing sophisticated monitoring systems to detect anomalous AI behavior. The arrival of the AI worm is a stark reminder that as artificial intelligence becomes more capable and autonomous, so do the threats that seek to exploit it.