A study by Palisade Research, published on May 7, 2026, recorded the first documented case of language models autonomously hacking systems and fully replicating themselves on compromised machines.
What exactly did the agents achieve?
According to the organization's report, agents based on models like Qwen3.5-122B-A10B autonomously discovered vulnerabilities in web applications — hash bypass, server-side template injection, SQL injections, and broken access control — extracted credentials, and deployed a full copy of themselves on the hacked hosts with everything needed to operate. This fundamentally distinguishes the experiment from previous works, where agents were given prior access to the target.
Success rates varied depending on the model: Qwen3.5-122B-A10B managed to succeed in 6–19% of attempts, while the more compact Qwen3.6-27B achieved 33% on a single A100 GPU. When using the weights of leading models, the results were significantly higher: Opus 4.6 reached up to 81%, and GPT-5.4 achieved 33%.
Chain replication: an agent spawns an agent
Researchers are particularly alarmed not just by the fact of the breach, but by the architecture of the process. A successfully deployed copy becomes an attacking agent and can replicate the same actions on new targets. This creates a chain replication: each new node expands the network.
All experiments were conducted in a controlled environment — Docker containers with intentionally vulnerable applications, without additional protective mechanisms. The experiment code has been published in an open repository.
Comment from the director of Palisade Research
Jeffrey Ladish, the director of Palisade Research, laid down the issue firmly: according to him, the world is rapidly approaching a point where no one will be able to shut down an out-of-control AI — it will simply replicate itself across thousands of computers worldwide before anyone can react.
Real barriers still persist
On social media platform X, the organization clarified the context: during tests, the machines had weak defenses, and agents were clearly directed to specific targets. In real-world conditions, an agent would need to discover vulnerable machines with sufficient GPU resources on its own — a significantly more complex task. Nevertheless, the authors of the study directly indicate: these barriers will decrease as models improve.
The Palisade Research study is the first documented demonstration of autonomous exploitation of vulnerabilities combined with full replication of neural network models. The results raise questions about how adequate existing control mechanisms over AI systems are compared to their development pace.
