Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine

There's a lot of fear surrounding the bug-finding capabilities of super-advanced AI models like Anthropic's Mythos and OpenAI's GPT 5.5-Cyber. But attackers are already using free, publicly available LLMs to hijack networks and worm through software supply chains at a much lower cost – to them at least.The latest example comes from University of Toronto researchers, who used an unnamed, publicly available open-weight model released in 2025 to develop a computer worm that they claim spread through an enterprise test network.The self-propagating code adapts on the fly to identify known vulnerabilities and misconfigurations on target systems, then generates and executes attacks to move laterally through the network and compromise additional machines.

And it’s all built on a small, free model that runs on a single GPU.“People need to understand that it’s not just the biggest and most powerful AI models that pose security concerns – a whole other area of threat has been vastly underestimated,” University of Toronto computer engineering professor Nicolas Papernot told The Register.Papernot and fellow researchers Jonas Guan, Tom Blanchard, Hanna Foerster, Hengrui Jia, and Gabriel Huang published their findings [PDF] on Tuesday.While guardrails and other safety features implemented by major commercial AI systems are “essential,” Papernot told us, in reality “they will not prevent the threat of AI-driven worms with a similar design.”“The majority of real-world cyberattacks don’t rely on zero-day vulnerabilities,” he added. “Our work demonstrates that attackers can now cheaply operationalize known vulnerabilities at scale, which decreases the window of time defenders have to fix vulnerabilities and find human errors, like reused passwords or poorly configured backup jobs.”The paper doesn’t specify, and Papernot declined to say, which LLM they used. “We omitted certain methodological details (such as the agent’s reasoning graph and tool harness) and experimental specifics (such as the AI model) that could materially help a malicious actor construct similar malware,” Papernot said. “We shared enough information to make the threat credible enough for scientific scrutiny without providing a blueprint that would enable misuse.”The researchers also noted that they are not publicly releasing the code, but are working with the University of Toronto to set up a vetting process through which qualified researchers may request access for defensive research purposes.