The history of cybersecurity seems to be coming in a full, ironic circle. In 1988, Robert Tappan Morris created the first internet worm, an event now considered the 'big bang' of digital crime. Today, in 2026, as humanity hands over the keys to its digital life to autonomous Artificial Intelligence agents, researchers Ben Nassi, Stav Cohen, and Ron Bitton have introduced the spiritual successor to that threat: Morris II. This is a piece of malware that doesn't target computer code, but rather the logic of Large Language Models (LLMs), proving that the very capabilities that make AI useful also make it dangerous.
The Architecture of a Digital Parasite
Morris II is not a traditional virus. It operates through what researchers call 'adversarial self-replicating prompts.' Unlike traditional software, where data and instructions are clearly separated, this line is blurred in LLMs. When an AI assistant (such as an AI email assistant) reads a message, it doesn't just see it as text; it sees it as part of its instruction context. Morris II exploits exactly this confusion.
The researchers demonstrated that the worm can spread in two ways. The first involves using text containing hidden instructions that 'force' the AI model to forward the message itself to new contacts while simultaneously stealing sensitive data. The second, and more impressive way, is through an image. By embedding the malicious prompt within the pixels of a photo (steganography), the researchers managed to 'infect' the Retrieval-Augmented Generation (RAG) system of an AI assistant. As soon as the system retrieves the image to analyze it, the worm is activated, replicates, and continues its journey.
The RAG Problem and the Illusion of Security
RAG systems are currently considered the 'gold standard' for AI reliability, as they allow models to draw information from external databases or a user's emails to provide accurate answers. However, Morris II turns this source of knowledge into a Trojan horse. As the research team points out, the problem is not a simple code bug that can be fixed with a security update (patch). It is a fundamental weakness in how LLMs process information.
'You can't patch your way out of it,' the scientists warn, implying that as long as AI models have the freedom to interpret and execute instructions from uncontrolled data sources, the risk will persist. This creates a massive dilemma for tech companies: if they restrict the autonomy of AI agents for the sake of security, those agents cease to be truly useful. But if they leave them autonomous, they open the door to a new generation of cyberattacks that spread at the speed of AI thought.
Toward a Future of Agentic Risks
As we move toward the so-called 'Agentic Web,' where AI will book appointments, manage bank accounts, and communicate on our behalf, the implications of such a worm are terrifying. Imagine a scenario where an infected email doesn't just steal your password, but forces your AI to send misleading messages to your entire contact list, undermining trust in the entire digital ecosystem. The research into Morris II is not just an academic exercise; it is a wake-up call for the industry. AI security must be redesigned from the ground up, focusing on a strict separation between data and instructions—something that currently seems technically impossible without sacrificing the intelligence of the models.
- The use of 'firewalls' for LLMs that monitor the model's outputs.
- The adoption of architectures that require human approval for critical actions.
- The redefinition of 'untrusted input' in RAG systems.
In conclusion, Morris II reminds us that in technology, complexity is the enemy of security. The more 'human' we try to make our systems, the more vulnerable they become to the same weaknesses that plague human communication: deception and manipulation.