For those that have grown up in the cybersecurity world, the Morris Worm is often recognized as the first self-replicating malware, developed by Robert Tappan Morris in 1988. In many ways, the entire cybersecurity community has been chasing ways to stop things such as the Morris Worm for the past 35 years.
We are now entering a new world — the world of artificial intelligence — and what we have done in the past 35 years no longer applies.
Morris II
Researchers at Cornell University have created the first cross-AI platform worm that infected multiple AI engines, published in a paper titled Here Comes the AI Worm: Unleashing Zero-click Worms that Target GenAI-Powered Applications. The researchers successfully created a worm that infected the foundational models of Chat GPT and Gemini through a self-replicating process — causing AI engines to produce incorrect and harmful outputs while propagating across other systems.
What makes Morris II fundamentally different from traditional attacks is that it is completely driven by data, not by code running on devices, networks or applications. A critical insight from the paper: adversarial self-replicating prompts trigger the GenAI model to output code — not just data. There is no malicious code being sent from system to system. There is data. The prompt itself may not be malicious, but the answer from the engine is a threat.
What the Cybersecurity Community Does Not Understand
Every guidance document and new AI security tool I reviewed approaches the problem through the lens of how we do cybersecurity today — protecting systems and networks, identifying source and location of data, allowing or blocking based on origin. As shown by Morris II, the problem is that there is no malicious data or code to block. The prompt may look perfectly viable, but the output is malicious. And the output may be different every time.
Traditional cybersecurity approaches of identifying suspect code and patterns do not apply in the GenAI world. GenAI is probabilistic in nature while traditional computing is deterministic. In traditional computing, input x returns action y every time. In GenAI, input x may return y, z, w, or a host of other results. From a security perspective, monitoring for specific inputs and outputs becomes impossible.
Why RAG Is a Cybersecurity Nightmare
RAGs (Retrieval Augmented Generation) give the GenAI world usability and context — connecting language models to internal data sources to perform real-world actions. The Morris II worm leveraged a RAG to propagate from one GenAI engine to another simply by emailing prompts embedded in otherwise normal text. Unlike phishing emails, there was no code or link to detect and block. Just words.
The challenge for the cybersecurity community: there are no network or device security controls applicable here. Inputs and outputs have an unlimited number of patterns. Unique code is being constantly generated. All of these are contrary to the foundations of today’s cybersecurity approaches.
Not Next Year — Now
When I ask security staff about securing GenAI, almost all say they’re starting to think about it but will wait until it becomes more mainstream. Meanwhile, RAG-powered features are shipping in every major product. New approaches — file-level encryption, AI-enabled testing agents, segmented RAG integration — need to be addressed now. This is one of those moments where the security community can build protections in before the technology outpaces us entirely. Traditional approaches will not work. It is time for thinking differently.
Chip Block is the CEO of Kiwi Futures LLC.