Self-Propagating AI Worms and Autonomous Attacks: The New Enterprise Security Crisis
University of Toronto researchers prove self-propagating AI worms can compromise 75% of enterprise networks in days, forcing urgent rethink of AI agent security.
Self-Propagating AI Worms and Autonomous Attacks: The New Enterprise Security Crisis
Key Developments
Over 13,000 security professionals at Infosecurity Europe this week confronted a sobering reality: autonomous AI systems can now attack enterprise networks with minimal human oversight. University of Toronto researchers demonstrated that self-propagating AI worms built from free, publicly available large language models can compromise nearly three-quarters of a simulated enterprise network within seven days.
The threat is no longer theoretical. On May 10, Sysdig’s threat research team documented the first publicly confirmed real-world intrusion driven by an LLM agent—a attack that moved from initial access through a vulnerable Python notebook to complete database exfiltration in under an hour, executing four network pivots without human direction.
Simultaneously, three independent research disclosures revealed that prompt injection vulnerabilities in AI agent frameworks have evolved from content moderation concerns into remote code execution primitives. Microsoft disclosed critical vulnerabilities (CVEs) in Semantic Kernel allowing crafted prompts to launch arbitrary processes on host systems. Adversa AI released SymJack (affecting six AI coding agents) and TrustFall (compromising Claude Code, Cursor, Gemini CLI, and GitHub Copilot)—both enabling one-click remote code execution.
Industry Context
The agentic AI development boom has outpaced security controls. Unlike traditional software vulnerabilities, AI agent frameworks introduce novel attack surfaces where user input becomes executable code through natural language interpretation. The vulnerability discovery-to-exploitation window has collapsed from months to hours.
Enterprise Ireland has flagged that cyber threats are “getting more high level” and “driven by AI,” signalling that Irish organisations now face accelerating threat sophistication. Dr Liliana Pasquale from UCD School of Computer Science warns that “AI systems are significantly harder to secure than traditional software,” with manipulation techniques like prompt injection potentially enabling unauthorised data extraction or system compromise.
Practical Implications
For builders and organisations deploying AI agents, this moment demands immediate action:
- Sandbox isolation: Deploy AI agents in strictly segmented network environments with minimal privilege escalation pathways
- Input validation: Treat all user prompts as untrusted input, implementing robust filtering before agent processing
- Monitoring: Use AI-driven threat detection to spot anomalous agent behaviour—the attack window is too narrow for manual response
- Patch velocity: Establish rapid patching protocols for AI framework vulnerabilities
- Risk reassessment: Organisations relying on AI coding agents (Copilot, Claude Code) should urgently review deployment scope and access controls
Open Questions
While the threat is clear, critical gaps remain:
- How effectively can traditional network segmentation contain AI agent lateral movement?
- Are enterprise LLM guardrails sufficient, or do air-gapped deployments become necessary?
- What regulatory frameworks should the EU adopt to mandate AI agent security standards?
- Can defenders realistically keep pace with autonomous attack iteration speeds?
For Irish and European organisations, this crisis arrives as AI governance frameworks (including emerging EU AI Act considerations) are still being defined. The convergence of agentic AI proliferation and exploitation acceleration makes this an inflection point for enterprise security architecture.
Source: Infosecurity Europe 2026