Researchers Uncover Autonomous LLM Agent Worm Vulnerabilities with Cross-Platform Propagation
Key Takeaways
- ▸Autonomous LLM agents' persistent state features (memory files, scheduled tasks, messaging integrations) create a new worm propagation attack surface previously unexplored in research.
- ▸The vulnerability enables zero-click autonomous propagation and multi-hop cross-platform transmission between agent systems without requiring platform-specific adaptation.
- ▸User prompts are more vulnerable to attack influence than system prompts, and read operations pose the primary integrity risk in LLM-mediated systems.
Summary
A new arXiv research paper presents the first systematic framework for analyzing worm propagation in autonomous LLM agent systems. The researchers identify critical vulnerabilities where attacker-influenced content injected into persistent agent state—workspaces, memory files, and scheduled tasks—can re-enter the LLM's decision context and trigger high-risk actions including configuration changes and cross-agent transmission.
The team introduces SSCGV, an automated source-code graph analyzer that traces data flow from file I/O to LLM context injection points, and SRPO, a payload optimizer that generates worm payloads resistant to LLM-mediated summarization across multi-hop communication. Evaluation on three production agent frameworks demonstrates zero-click autonomous propagation, 3-hop cross-platform transmission, inter-agent privilege escalation, and data exfiltration without platform-specific adaptation.
Critically, the research reveals two key insights: user prompt carriers achieve higher attack compliance than system prompt carriers, and read operations represent the primary integrity threat in LLM-mediated systems. To defend against this attack class, the researchers develop RTW-A, a defense mechanism proven under formal verification that blocks write-before-exposed-read re-entry, seals configurations, prevents untrusted summaries from entering trusted memory, and attenuates capabilities after external reads.
- Formal verification-based defenses (RTW-A) can effectively mitigate propagation risks while preserving ordinary agent workflows, offering a path to secure autonomous agent deployments.
Editorial Opinion
This research is a crucial wake-up call for the autonomous agent ecosystem. As LLM agents become more autonomous and interconnected with persistent state—a defining feature of next-generation systems—the attack surface expands in non-obvious ways. The paper's finding that user prompts are more influential than system prompts is particularly sobering: it suggests attackers can exploit the very interface users interact with. The availability of formal defenses like RTW-A is encouraging, but their adoption requires coordination across frameworks and careful system design.
