The first autonomous worm that propagates between LLM agents without human interaction. Zero-click. Cross-platform. 3 hops across heterogeneous frameworks. And the defense requires a formal theorem to stop it. At Tech86, we analyzed the first systematic framework for worms in multi-agent ecosystems with file-backed memory — and the conclusion is clear: agents with persistent state are vectors for autonomous propagation. This is a worm that replicates, not a one-off prompt injection.
The mechanism: Write → Re-entry → Action
LLM agents operate as long-running processes with workspaces, memory, scheduled tasks, tools, and messaging channels. The worm exploits exactly this architecture. Attacker content is written to persistent state — a configuration file, a memory item, a channel message. That content re-enters the LLM context via autoloading: the agent loads the file at startup, reads the channel message, accesses the memory item. The payload enters the context and drives high-risk actions — including propagation to other agents.
The cycle is simple and devastating: Write → Re-entry → Action. Malicious content is written to a carrier. The carrier is autoloaded. The content enters the LLM context. The agent propagates the worm. No human needs to click, approve, or interact. Persistence does the work.
The distinction from prompt injection is fundamental. Prompt injection is an event — you inject, the model responds, it's over. An agent worm is a continuous process. The payload persists in state, re-enters on every execution, and propagates to new hosts. It's the difference between a virus that infects one cell and a virus that replicates throughout the organism.
Zero-click, cross-platform, 3 hops
The framework's results are concrete. Zero-click propagation: no human interaction after initial injection. The worm propagates autonomously between agents that share workspaces and messaging channels.
3-hop cross-platform: the worm propagates across heterogeneous frameworks without adaptation. An agent in Framework A writes the payload to a carrier. The carrier is read by an agent in Framework B. The agent in Framework B propagates to Framework C. Three hops, three different frameworks, zero payload modification.
Inter-agent privilege escalation via trust-based delegation: agents delegate actions to other agents with increasing privilege levels. The worm escalates privileges by traversing this trust chain. Data exfiltration from workspaces: persistent access to state enables extraction of sensitive data from compromised agents' workspaces.
Two insights inverted assumptions. First: user prompt carriers are more effective than system prompt carriers. Content entering via user prompts has more hijacking power than content in system prompts. Second: read operations are the primary threat. This inverts the assumption that write is the danger. Writes without re-entry are inert. Reads are active — content read hijacks behavior.
SSCGV and SRPO: the attack tooling
The framework introduces two tools that make agent worms systematic rather than artisanal.
SSCGV (Source-Code Graph Analyzer) traces data flow from file I/O to LLM context injection. It analyzes the agent's source code, identifies all points where files are read and injected into context, and ranks carriers by exposure position. Zero manual analysis. SSCGV answers the question: which files in the agent's workspace are re-entry vectors? Without this analysis, you're guessing which files to protect.
SRPO (Summary-Resilient Payload Optimizer) solves the problem that seemed like a natural defense: summarization. When agents communicate across multiple hops, content gets summarized, paraphrased, and compressed. The assumption is that summarization destroys payloads. SRPO proves otherwise. It generates payloads that survive summarization, paraphrasing, and compression in multi-hop communication. Payloads arrive intact after 3+ hops across heterogeneous frameworks. Summarization is not defense — it's an attack surface that SRPO exploits.
The combination of SSCGV and SRPO turns agent worms into an engineered discipline, not an art of prompt crafting. You map the carriers, optimize the payload to survive the path, and let the autonomous cycle do the rest.
RTW-A: defense with formal guarantee
If the attack is systematic, the defense cannot be empirical. RTW-A is a defense framework with a formal guarantee — the "No Persistent Worm Propagation" theorem proves that, under RTW-A, attacker content cannot complete the Write → Re-entry → Action chain.
Four mechanisms compose RTW-A. RTW constraint: blocks write-before-exposed-read re-entry. If an agent reads external content, any subsequent write that could be autoloaded is intercepted. This breaks the cycle at the root — no re-entry, no propagation.
Sealed configuration: protects autoloaded files from modification by external content. If a config file is a carrier, it cannot be altered by data read from untrusted sources.
Typed memory promotion: prevents free-form summaries in trusted memory. Summaries of external content must pass structural validation before entering high-privilege memory. This neutralizes SRPO — the payload may survive summarization, but it cannot pass the typing barrier.
Capability attenuation: limits high-risk actions after external reads. Even if the payload enters the context, the agent has reduced capabilities — it cannot propagate messages, execute high-risk tools, or write to other agents' workspaces.
Together, these mechanisms eliminate persistence → re-entry → action while preserving legitimate workflows. The formal theorem guarantees the defense works by construction, not by observation.
What this means for agent operators
Agents with persistent state are vectors for autonomous propagation. This is not one-off prompt injection — it's a worm that replicates between long-running processes. If your agents share workspaces and messaging channels, cross-platform autonomous worms have already been demonstrated.
Read operations are more dangerous than writes. Security intuition says protect against malicious writes. In multi-agent ecosystems, the danger is in reads. Content read hijacks behavior. Protecting writes without protecting reads is locking the door while the windows are open.
Summarization is not defense. SRPO generates payloads that survive multi-hop. If your security strategy relies on summarization and compression to neutralize payloads, it doesn't work. Coordinated disclosure is in progress and frameworks were anonymized — but the mechanism is documented and replicable.
At Tech86, we evaluate AI agent architectures with focus on payload propagation and persistent state integrity. If your agents operate with file-backed memory, shared workspaces, and messaging channels across frameworks, cross-platform autonomous worms aren't theory — they're a demonstrated mechanism. And without RTW-A or equivalent, your ecosystem has no formal guarantee against persistent propagation.