The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Friday 5 June 2026

The $0 AI Worm: Why the Threat Doesn't Need a Frontier Model

Researchers proved you don't need a fancy frontier model to build a self-spreading AI worm — a free open-source LLM will do just fine.

Lead story

The $0 AI Worm: Why the Threat Doesn't Need a Frontier Model

For months, the security community has been nervously watching what the most powerful AI models might do in the wrong hands. New research suggests we've been looking in the wrong direction.

Researchers have built a self-replicating AI worm that runs entirely on free, open-source language models — no GPT-4, no Claude, no Gemini required. The worm can propagate across enterprise networks, adapt its attacks on the fly based on what it encounters, and chain together known vulnerabilities in ways that would previously have required a skilled human operator sitting at a keyboard.

The key finding, as the researchers put it bluntly: "Attackers can now cheaply operationalize known vulnerabilities at scale." That's the part worth sitting with. This isn't about a nation-state with a classified AI stack. It's about a commodity capability that anyone with a laptop and an internet connection can replicate today.

How it works

The worm couples a lightweight LLM — the kind you can run locally on consumer hardware — with a set of automation scripts. The model doesn't need to be brilliant. It just needs to be good enough to read system responses, pick the right next move from a known playbook, and rewrite its own delivery mechanism to dodge detection. Think of it less like a genius and more like a very persistent, very patient intern who has memorised every CVE published in the last five years.

The researchers tested it in an isolated enterprise-style network. The worm propagated successfully, adapted when initial attack vectors were blocked, and did so without any human guidance after the initial launch.

Why this matters now

This research lands the same week that separate reporting confirmed attackers are already using AI to automate EDR evasion testing — running malware samples against Sophos, CrowdStrike, and Windows Defender in automated loops until something sticks. The pattern is consistent: AI isn't replacing attackers, it's removing the bottleneck of human time and skill.

The traditional defence assumption has been that scale costs money. A human attacker can only probe so many systems per hour. AI worms, even dumb ones, break that constraint entirely.

What defenders should do

Network segmentation and patch velocity matter more than ever. If a worm can only reach a handful of systems before hitting a boundary, the blast radius stays manageable. The research team specifically noted that the worm thrives in flat, poorly-segmented networks where lateral movement is easy.

For Australian organisations, this is directly relevant to the ACSC's Essential Eight guidance on patching and restricting lateral movement — both of which this worm explicitly exploits when they're neglected. The SOCI Act's critical infrastructure obligations around network resilience deserve a fresh look through this lens too.

What to watch

The researchers have responsibly disclosed their methodology without releasing the full code. But the honest assessment is that anyone with moderate skill could reproduce this from first principles — the tooling is all public. The question isn't whether someone will build this in the wild. It's whether defenders move faster than the commodity threat curve is rising.

Also today

Meta's Secret Face-Recognition Code Is Already on Millions of Phones

Wired reviewed code embedded in Meta's smart glasses platform and found an unreleased face-recognition system designed to identify strangers using biometric data stored on a user's phone. Meta hasn't announced the feature, but the code is already deployed at scale. The system, apparently tied to the Ray-Ban smart glasses and a feature internally dubbed 'Nametag Connections', could let a glasses wearer silently identify anyone they look at. Privacy regulators in the EU have facial-recognition-specific restrictions under GDPR, and Australia's Privacy Act reform — currently before Parliament — includes strengthened biometric data protections that would likely catch exactly this kind of pre-deployment embedding.

WIRED

A One-Issue GitHub Post Could Have Hijacked Anthropic's Own Code

A security researcher found a serious flaw in Anthropic's Claude Code GitHub Action: opening a single malicious GitHub issue was enough to take over any public repository running the action. Worse, because Anthropic's own repo used the same workflow, a successful attack could have pushed malicious code directly into the Claude Code action itself — and then downstream to every project pulling it. RyotaK of GMO discovered and disclosed the flaw. It's been patched, but the incident is a pointed reminder that AI coding tools sit deep in supply chains and carry their own attack surface.

The Hacker News

Cisco's Unified CM Has a Critical Flaw — and Exploit Code Is Already Public

Cisco has patched a critical server-side request forgery vulnerability in Unified Communications Manager, tracked as CVE-2026-20230, that lets an unauthenticated attacker on the network write arbitrary files and escalate to root. Proof-of-concept exploit code is already publicly available, which significantly shortens the window between patch release and active exploitation. Cisco's PSIRT says it hasn't confirmed in-the-wild attacks yet — but that's a narrowing gap. Unified CM is widely deployed in enterprise telephony environments, including many large Australian organisations. Patch immediately.

Bleeping Computer

Magecart Crew Is Hiding Stolen Card Data Inside Stripe's Own Infrastructure

A newly documented Magecart campaign is abusing Stripe's legitimate API infrastructure to both host the card-skimming payload and exfiltrate the stolen data. By routing everything through Stripe — a domain that most corporate firewalls and security tools treat as trusted — the attackers blend into normal payment traffic. It's a clever abuse of legitimacy: the malicious code looks like a routine Stripe integration to any cursory inspection. Australian e-commerce operators running checkout flows should audit their payment integrations and CSP headers; the ACSC has previously flagged Magecart-style attacks as a persistent threat to local merchants.

Bleeping Computer

Five Eyes Warns: China Is Still Trolling LinkedIn for Secrets

A fresh Five Eyes intelligence advisory is reminding Western governments and industry that Chinese intelligence services are actively using LinkedIn and other professional platforms to recruit insiders willing to sell sensitive information. The tradecraft isn't new — it was first flagged years ago — but the operational tempo appears to be accelerating. The advisory specifically warns of approaches framed as consulting or research opportunities that escalate into requests for classified or commercially sensitive material. Australian security-cleared workers and those in defence-adjacent industries are squarely in scope, and ASIO has separately flagged this pattern in its annual threat assessments.

The Register

OpenAI's Codex Chained Decade-Old Bugs Into a Working HTTP/2 Bomb

In a striking demonstration of AI-assisted offensive research, OpenAI's Codex agent independently chained together known denial-of-service techniques to construct a functional HTTP/2 'bomb' attack capable of crashing web servers in seconds. The agent wasn't given a specific attack goal — it identified the vulnerability chain autonomously during a security research task. The finding raises uncomfortable questions about the dual-use nature of capable coding agents: the same reasoning that makes them useful for defenders makes them useful for building attack tooling, and the gap between the two is narrowing fast.

The Register

Hackers Spent Five Months Reading a Stock Exchange Executive's Inbox

Symantec and Carbon Black researchers reported this week that unknown attackers maintained persistent access to the Outlook mailbox of a senior executive at a major global stock exchange for at least five months. The attackers copied emails in small batches and exfiltrated them via Dropbox and OneDrive, deliberately blending malicious traffic into normal cloud service activity. The patience and tradecraft point to state-sponsored espionage rather than financially motivated intrusion. Financial market infrastructure is a designated critical sector under Australia's SOCI Act, and this incident is a textbook illustration of the insider-access threat that the Act's incident reporting obligations are designed to surface.

The Hacker News

Meta Accuses Australia of Breaching Free Trade Agreement

Meta has formally accused the Australian government of breaching free trade agreement obligations, invoking the prospect of US trade action. The dispute centres on Australian regulatory measures affecting Meta's platforms — the details of the specific policy at issue aren't fully public, but the escalation signals that Meta is willing to use trade law as leverage against content moderation and platform accountability rules. This follows an increasingly tense period between big tech platforms and the Australian government, which has pursued some of the world's more aggressive platform regulation, including the Online Safety Act and the news media bargaining code.

iTnews

ChatGPT's New 'Dreaming' Memory System Learns You Between Sessions

OpenAI has rolled out a new memory architecture for ChatGPT it's calling 'Dreaming' — a system that consolidates and updates what the model knows about a user between conversations, rather than only during them. The goal is to keep context fresh and relevant without users needing to repeat themselves. OpenAI is framing it as a leap toward genuinely personalised assistants. Privacy advocates will note it represents a significant increase in persistent user profiling, and the question of where that memory data is stored and how it can be deleted will matter to users in jurisdictions with strong privacy frameworks — including Australia's.

OpenAI Blog

Which LLMs Best Resist Russian Propaganda? Estonia Built a Benchmark to Find Out

The Estonian government has published a benchmark testing dozens of large language models on their resistance to Russian 'strategic narratives' — the Kremlin's preferred information warfare framing on topics like the war in Ukraine, NATO, and Baltic security. The results vary significantly across models, with some reproducing pro-Kremlin framings under relatively light prompting. It's a rare government-driven evaluation of AI models on geopolitical reliability rather than technical capability, and the methodology could become a template for other NATO-adjacent democracies. Australia's involvement in the Pacific information environment gives this kind of benchmark real strategic relevance.

Ars Technica

TSMC's CEO Says AI Demand Has Outrun What the World's Biggest Chipmaker Can Supply

TSMC CEO C.C. Wei told shareholders this week that customer demand — overwhelmingly driven by AI infrastructure buildout — has exceeded what the company can physically produce, even with its US factory expansion underway. 'We can only support so much,' Wei said, adding that TSMC is working to avoid becoming a bottleneck for the global AI industry. The frank admission from the company that manufactures chips for Apple, Nvidia, AMD, and essentially every other major semiconductor designer underlines how precarious the hardware foundation of the AI boom actually is. Australia's own digital infrastructure investment is downstream of this constraint.

The Verge

Sources consulted