U of T Researchers Unveil Morris II: The Dawn of Self-Propagating AI Worms

Researchers from the University of Toronto, in collaboration with Cornell Tech and Technion, have demonstrated “Morris II,” a self-replicating generative AI worm. This malware leverages adversarial self-replicating prompts to hijack LLM-based agents, enabling autonomous data exfiltration and spam propagation across interconnected AI ecosystems.

• ▶ Paradigm Shift in Malware: Cyber threats are evolving from executable scripts to semantic-based adversarial prompts, weaponizing the LLM’s reasoning engine for zero-click infection.
• ▶ Weaponizing RAG: The worm exploits Retrieval-Augmented Generation (RAG) to persist within vector databases, turning trusted knowledge bases into launchpads for cross-session contagion.
• ▶ Systemic Risk in Agentic Economies: As AI Agents become increasingly interconnected via APIs, a single compromised node can trigger a cascading failure across entire automated workflows.

Bagua Insight

We are witnessing the “Morris Moment” for the GenAI era. Just as the 1988 Morris worm exposed the fragility of the early internet, Morris II highlights a fundamental architectural flaw in modern LLM deployments: the blurring of boundaries between data and instructions. In the industry’s rush toward “Agentic Workflows,” developers often operate under the naive assumption that retrieved context is benign. However, this research proves that as long as an AI can process data and generate subsequent actions, it can be weaponized. This isn’t just a bug; it’s a structural vulnerability in how we build autonomous systems. The very feature that makes LLMs powerful—their ability to follow complex instructions—is exactly what makes them susceptible to semantic hijacking. If we don’t establish a “Semantic Firewall,” the AI assistants designed to boost productivity could become the ultimate Trojan horses within corporate networks.

Actionable Advice

1. Deploy Semantic Sandboxing: Developers must implement an intermediate sanitization layer in RAG pipelines, using specialized micro-models to scan retrieved context for adversarial patterns before it reaches the core LLM.
2. Enforce Human-in-the-Loop (HITL): For high-stakes Agent actions, such as mass emailing or database modifications, autonomous execution must be gated by explicit human approval to prevent viral propagation.
3. Adopt Zero-Trust AI Architectures: Treat every output from an external AI Agent or a RAG retrieval as untrusted. Implement strict schema validation and output filtering to ensure the LLM doesn’t inadvertently execute embedded commands.