University of Toronto / Vector Institute: a self-propagating worm that runs open-weight LLMs on compromised hosts to synthesise per-target exploits

A team from CleverHans Lab (University of Toronto), the Vector Institute, Cambridge and ServiceNow Research published a proof-of-concept worm (arXiv:2606.03811) on 2 June 2026, picked up this week by the German technical press (arXiv, 2026-06-02; heise online, 2026-06-04). The worm runs open-weight LLMs on already-compromised hosts to generate exploit code tailored to each machine it reaches — consuming stolen compute instead of attacker infrastructure or a commercial AI API, which makes platform-level safety controls (rate-limits, content policies) structurally irrelevant. On an isolated 33-node mixed Linux/Windows/IoT range the agent identified vulnerabilities on most hosts and propagated across several generations, and — the load-bearing finding — synthesised working exploits for three CVEs published after its model's training cutoff, i.e. adaptive reasoning beyond static knowledge. The authors frame the economic asymmetry: marginal attacker cost per new infection approaches zero while defenders must patch every reachable flaw. The paper withholds usable exploit code; closest ATT&CK analogues are T1203, T1210, T1570.

Why it matters to us: the operational implication is that "no public PoC yet" stops being a reliable proxy for low near-term exploitation risk, which pressures patch-velocity SLAs and elevates internal micro-segmentation from best-practice to load-bearing control. A pragmatic early-warning signal: unexpected local LLM-inference activity on compromised hosts (e.g. Ollama on port 11434, sustained GPU-heavy processes where none belong).