Self-propagating agent worms and the temporal re-entry defense

What is this?

On May 4, 2026, Mingming Zha and Xiaofeng Wang published Autonomous LLM Agent Worms: Cross-Platform Propagation, Automated Discovery and Temporal Re-Entry Defense (arXiv:2605.02812, cs.CR). It is the first systematic framework for analyzing persistent worm propagation in file-backed, multi-agent LLM ecosystems — and, importantly for our editorial line, it ships a defense with a formal proof, not just an attack.

The threat class is not brand new: in 2024, the ComPromptMized / Morris II work demonstrated the first zero-click GenAI worm using an adversarial self-replicating prompt. What the 2026 paper adds is automation of discovery and a structural account of why long-running agents are uniquely exposed — they hold persistent workspaces, memory files, scheduled-task state, and messaging integrations that survive across sessions.

How it works

The mechanism is a loop, not a payload. An autonomous agent reads attacker-influenced content (an email, a shared document, a tool result), and that content gets written into persistent agent state. On a later run — often via scheduled autoloading — the state is read back into the LLM’s decision context, where it can drive high-risk actions: configuration changes, tool calls, and transmission to other agents. No human click is required at any hop.

External read     →  Write to persistent state   →  Scheduled re-entry  →  Action
(email, doc,         (memory file, workspace,        (autoload pulls         (config change,
 tool output)         task queue)                     state into context)     cross-agent send)
        ▲                                                                          │
        └──────────────────────  propagates to next agent  ──────────────────────┘

The paper introduces two analysis tools (no operational payload is reproduced here):

• SSCGV, a source-code graph analyzer that traces data flow from file I/O to the points where data re-enters the LLM context, and ranks “carriers” by injection position — automating what used to be manual audit work.
• SRPO, a payload optimizer designed to survive LLM-mediated summarization and paraphrasing across multi-hop communication, the property that lets a worm cross platform boundaries.

Evaluated on three (anonymized) production agent frameworks, the authors report zero-click autonomous propagation, 3-hop cross-platform transmission without platform-specific adaptation, inter-agent privilege escalation, and data exfiltration. Two empirical findings matter for defenders: user-prompt carriers achieved higher attack compliance than system-prompt carriers, and read operations — not writes — are the primary integrity threat in LLM-mediated systems, because the danger is content re-entering context, not being stored. Affected systems are anonymized pending coordinated disclosure.

Why it matters

This generalizes the memory-poisoning and persistence findings we have covered before — temporal memory contamination, dormant memory exfiltration — into a propagation model. A single poisoned input no longer compromises one agent; it can ride summarization across heterogeneous agents and ecosystems, which is exactly the lethal trifecta (private data, untrusted content, exfiltration channel) replicated at fleet scale.

The structural insight is the uncomfortable part. The features that make agents useful — persistent memory, scheduled tasks, agent-to-agent messaging — are the same features that close the propagation loop. As Adversa AI’s June 2026 roundup noted alongside this paper, the month’s disclosures “differ in mechanism but rhyme in cause — implicit trust granted somewhere no one was watching.” This is research-stage, responsibly disclosed work, not an in-the-wild incident; the value is in the defense model it makes provable.

Defenses

The paper’s defense, RTW-A, is proven under a formal No Persistent Worm Propagation theorem and is built from four composable mechanisms. They translate into concrete engineering guidance:

1. Block write-before-exposed-read re-entry (RTW). The core invariant: content that an agent wrote after reading external input must not be silently re-exposed to the model on a later run. Track provenance on state and gate re-entry of attacker-reachable writes.

2. Seal configuration and static files. Agent config, system prompts, and tool definitions should be immutable at runtime. If the model cannot rewrite the files that govern its own behavior, the persistence step of the chain breaks. Mount them read-only.

3. Typed memory promotion. Do not let untrusted summaries flow into trusted memory. Keep a hard type boundary between “observed external content” and “trusted facts,” and require an explicit, audited promotion step — never automatic — to move data across it.

4. Capability attenuation after external reads. Once an agent has ingested external content in a session, reduce its privileges: throttle or require human review for high-risk actions (config changes, outbound messages to other agents, credential use). This directly limits blast radius even if injection succeeds.

Beyond the paper: apply the Rule of Two so an agent never simultaneously handles untrusted input, holds sensitive access, and can communicate externally; instrument scheduled-task autoloading as a security-relevant event; and red-team your own state-persistence paths — the SSCGV approach (trace file I/O to context-injection points) is reproducible defensively on your own codebase.

Status

Item	Reference	Date	Notes
Autonomous LLM Agent Worms	arXiv:2605.02812	2026-05-04	First automated-discovery + provable-defense framework; affected systems anonymized
RTW-A defense	Same paper	2026-05-04	Four mechanisms, No Persistent Worm Propagation theorem
June 2026 agentic security roundup	Adversa AI	2026-06-01	Lists the paper among the month’s agent-worm disclosures
ComPromptMized / Morris II	arXiv:2403.02817	2024	Recognized precedent: first zero-click GenAI worm

The headline is not “AI worms are coming” — that one is two years old. It is that the propagation loop is now formalizable and defendable: the same persistence features that enable the worm also define exactly where to cut it. If you run long-lived agents with memory and messaging, the four RTW-A mechanisms are the checklist to map against your architecture today.