AI Worm That Spreads Without Human Interaction Raises Alarm

Security researchers have built a new kind of self-replicating AI worm capable of spreading across networks without any human action. The worm, named Morris II, targets generative AI systems such as OpenAI's ChatGPT and Google's Gemini, stealing data as it propagates.

The development highlights a growing vulnerability in the rapidly expanding ecosystem of AI-powered assistants and tools. Unlike traditional malware that relies on user clicks to spread, Morris II exploits the ability of generative AI agents to act on incoming messages, turning them into unwitting carriers.

Zero-Click Propagation Through AI Assistants

The research team, which includes scientists from Cornell Tech, demonstrated the worm against an AI-powered email assistant capable of synthesizing, summarizing and responding to messages. The worm works by crafting adversarial prompts that trick the AI into generating malicious output.

When an email containing the worm's payload arrives, the AI assistant processes the message and automatically executes the injected instructions. This can cause the assistant to read sensitive information from emails, send spam or even forward the worm to other contacts in the address book. The process repeats, allowing the worm to spread rapidly.

The researchers described the technique as a fundamentally new threat because it weaponizes the very features that make AI assistants useful: their autonomy and ability to process natural language. Previous malware could not exploit large language models in this way.

Why This Matters

This attack opens a new front in cybersecurity. As companies integrate generative AI into more products including customer service bots, personal assistants and productivity tools, the attack surface expands. Any user or organization that employs AI agents with access to email, messaging or document systems could be affected.

The worm can also extract private data such as credit card numbers or personal correspondence. Because the propagation requires no user clicks, traditional defenses like phishing awareness training become irrelevant. Security teams must now consider how AI models themselves could be turned into attack vectors.

The researchers have shared their findings with OpenAI, Google and other AI companies before publishing the work. They argue that the industry needs to adopt new defenses including stronger input validation and limits on AI agent autonomy.

The worm's name, Morris II, is a deliberate reference to the Morris worm of 1988, one of the first self-replicating pieces of malware to cripple the early internet. The researchers chose the name to underscore the parallel: a new generation of self-spreading threats has arrived.