What the U of T Team Built

Researchers at the University of Toronto released findings on June 2, 2026 demonstrating a new class of cyberweapon. According to the University of Toronto's official news release, the worm uses publicly accessible AI models — free ones, not cutting-edge proprietary systems — to adapt its attack strategy in real time as it moves from device to device.

The researchers showed it works against any known vulnerability across any connected device. Laptops. Hospital equipment. HVAC systems. Power grid infrastructure. All of it.

Nicolas Papernot, associate professor of computer engineering at U of T and a Canada CIFAR AI Chair at the Vector Institute, led the research. His CleverHans Lab conducted the entire study in a sealed, isolated digital environment with no connection to the outside internet.

Why This Is Different From Previous AI Malware Research

This isn't the first time researchers have built an AI-assisted worm in a lab. In 2024, a separate team from Cornell Tech, the Israel Institute of Technology, and Intuit demonstrated what they called "Morris II" — named after the 1988 Morris worm that crashed a significant portion of the early internet. According to IBM's coverage of that research, Morris II used "adversarial self-replicating prompts" to manipulate large language models like ChatGPT and Google's Gemini into generating their own malicious instructions.

Morris II focused specifically on generative AI ecosystems — AI-powered email assistants, RAG-enabled databases. It could steal names, phone numbers, credit card numbers, and Social Security numbers directly out of infected email systems.

The U of T research goes further. It's NOT limited to AI-integrated systems. The worm can exploit any known vulnerability in any device — AI-powered or not. That's the escalation.

Google Said It Out Loud: This Is Already Happening

On May 11, 2026 — three weeks before the U of T paper dropped — Google publicly confirmed it had disrupted a criminal group actively using AI to exploit a previously unknown vulnerability in another company's systems. According to Fortune's reporting on Google's announcement, John Hultquist, chief analyst at Google's threat intelligence division, stated plainly: "It's here. The era of AI-driven vulnerability and exploitation is already here."

Google wasn't warning that this could happen. Google said they caught someone doing it.

Hultquist didn't name the criminal group or the target company. That's significant. The public deserves to know what sector was hit. Financial? Healthcare? Energy? The lack of transparency from a company with Google's intelligence resources is a choice, not a limitation.

The Threat Is Cheap. That's the Point.

Every previous cyberattack of this sophistication required serious resources — nation-state backing, elite hacker teams, expensive tools. The U of T researchers dismantled that assumption entirely.

According to the University of Toronto, "highly skilled hackers don't need cutting-edge AI or deep pockets" to deploy this kind of malware. Free models. Off-the-shelf AI. The barrier to entry for launching a network-seizing, infrastructure-threatening cyberattack just collapsed.

Washington has been largely silent on the implications.

The Policy Vacuum

Fortune's May 11 reporting noted that President Trump's White House has been sending "mixed signals" on AI oversight after repealing Biden's AI guardrails. Dean Ball, senior fellow at the Foundation for American Innovation and a former White House tech policy adviser, told Fortune: "Some people don't want there to be a regulatory response to this and others do. I don't like regulation."

But "I don't like regulation" is not a cybersecurity policy. Hospitals getting knocked offline by a $0 AI worm is not a regulation debate. It's a national security failure.

Biden's vague executive order on AI safety wasn't a real solution either. Strongly worded guidelines from a federal agency have never stopped a criminal with a laptop and a grudge. The Trump administration needs to answer this question: if a freely available AI model can be weaponized to seize a hospital network or a power substation, what is the federal response plan? Right now, there isn't a public one.

What the U of T Researchers Did Right

Papernot's team deserves credit for how they handled this. According to the University of Toronto, before publishing they shared their findings with national science, security, and defense bodies in Canada. They scrubbed the published research to remove any details that could directly help bad actors replicate the attack.

They went public specifically because they believe this threat is "imminent" and that researchers, policymakers, and ordinary people need time to prepare.

That is responsible science. More researchers should operate this way.

The End State

A self-adapting AI worm that costs nothing to build can now theoretically compromise every device on a network — your bank, your hospital, the transformer on your street. Google confirmed criminal hackers are already deploying AI-assisted exploits in the real world. And the federal government's current answer is a shrug and a policy debate.

Your cybersecurity is only as strong as the least-defended device on the network you depend on.