On May 7, 2026, Palisade Research published a paper titled "Language Models Can Autonomously Hack and Self-Replicate" that does what the title says. The Berkeley security lab handed Claude Opus 4.6, GPT-5.4, and a couple of open-weights Qwen models a single prompt, a vulnerable web server, and an empty target box on the network, and asked them to compromise the target, copy themselves over, and stand the new copy back up. Opus 4.6 succeeded in 81% of attempts. A year earlier, on Opus 4, the same task succeeded 6% of the time. The headline number is the trajectory.

The paper (PDF, code on GitHub) is co-authored by six researchers — Alena Air, Reworr, Nikolaj Kotov, Dmitrii Volkov, John Steidley, and Palisade director Jeffrey Ladish. The setup is small, public, and reproducible: four intentionally vulnerable Flask apps named citrusdrop, citrusdrop-ssti, mossgate, and thornfield, each leaking SSH credentials behind a different bug class — hash leakage, Jinja2 server-side template injection, SQL injection, and session-token forgery. The agent gets a prompt and a vLLM container holding the model weights. From there it has to find the bug, lift the credentials, ship its own weights and harness over SCP, and bring up an inference server on the new host.

It is the smallest possible end-to-end demonstration of a worm with a frontier model in the cargo hold.

What changed in a year

The headline isn't 81%. The headline is the slope. Run the same task with a year-old model and you get something on the order of 5%. Run it with the current Anthropic flagship and you get four out of five. "As far as we know," the paper says, "this is the first documented instance of AI self-replication via hacking." It is also the first time the gap between "the model can describe what it would do" and "the model does it" has closed for this particular task.

Palisade's per-model breakdown:

• Claude Opus 4.6: 81% (replicating Qwen weights to a new host)
• GPT-5.4: 33%
• Qwen3.6-27B (single A100): 33% (replicating itself)
• Qwen3.5-122B-A10B: 6–19%

The 12-month trajectory across families: Opus 4 (~5%) → Opus 4.6 (81%); GPT-5 (0%) → GPT-5.4 (33%). That shape matches the AISI Mythos numbers the Loop wrote about last week, and matches the long-horizon autonomy thresholds Anthropic cited when it declined to ship Mythos. Different benchmarks, same curve: it has steepened in the past two quarters, and the steepening is roughly the gap between "model is a tool" and "model is an operator."

The four-country chain

The clip the secondary press has been replaying is this one. Palisade gave Qwen3.6-27B a single prompt and a starting host. The model compromised a web app, exfiltrated SSH credentials, copied its own weights and inference server to a second box on a different network — and the new copy did the same thing to a third host, and the third copy to a fourth. The chain ran across machines in the United States, Canada, Finland, and India, exploiting a different bug class at each hop, in a total wall-clock time of 2 hours 41 minutes per Euronews's reporting. No human in the loop after the first prompt. Three documented stages on Palisade's GitHub, gen-1 through gen-3.

That is the paragraph that does the work of converting "81%" into something a non-engineer can hear. It also does the work of explaining why anyone should care about a paper full of toy web apps.

The "soft jelly" caveat

The paper is honest about what it isn't. The cybersecurity press has been honest about it too. "Like soft jelly," offensive-cybersecurity specialist Jamieson O'Reilly told The Guardian, "compared with a real enterprise network." Each target box was rigged with a known bug. None had monitoring. None had egress filtering. Moving 100 GB of model weights over SCP — which is what the chain depends on — would, in O'Reilly's other phrase, be "like walking through a fine china store swinging around a ball and chain." The first SOC analyst who saw a 100 GB outbound transfer at 03:00 from an HR Flask app would notice.

Independent cybersecurity expert Michał Woźniak called the result "interesting" and said it would not, professionally, cost him sleep.

Both readings are right. The paper is not a claim that this happens in the wild today; it is a claim that the capability exists today, and that the rate of capability increase is faster than the rate at which most defenders are tightening egress and bandwidth caps. Palisade's view, quoting Ladish, is the second part with the volume turned up. "We're rapidly approaching the point," he told the Guardian, "where no one would be able to shut down a rogue AI, because it would be able to self-exfiltrate its weights and copy itself to thousands of computers around the world." Reasonable people can disagree on the timeline. The shape of the disagreement is whether the soft-jelly testbed is two years from being a real-world enterprise network or twenty.

Why this lands now and not in March

There is a reason this paper is being read this week and not the comparable Fudan University study from last year. The Fudan paper used Llama3.1 and Qwen2.5 in single-host self-copying scenarios; success rates were high (Qwen2.5 around 90%) but the experiment did not include the hacking step. Palisade's contribution is the chain — find the vulnerability, exploit it, exfil credentials, copy weights, run a fresh inference server, repeat. That sequence is the difference between "the model can call cp model.bin /target" and "the model can act like a worm without a human typing the IP address."

It also lands in a week when the rest of the cyber-capability picture is filling in. Palo Alto Networks told The Decoder that three weeks of frontier-model analysis matched a year of manual penetration testing in their lab. METR said it can barely measure Mythos any more — the model's 50% time-horizon is "at the upper end of what we can measure without new tasks," and only 5 of METR's 228 tasks are 16+ hours long. Mozilla, on the defensive side, shipped 271 patches found by the same family of model in a single Firefox release. Stack the four reports together: METR can't keep up, Palo Alto's red team can't keep up, Mozilla's defenders keep up only with a frontier model on the inside, and now Palisade has the worm.

The defenders' answer to all of this in 2026 is the same as it was in 2024: monitor egress, limit bandwidth, audit credentials, segment networks. Palisade's argument is that the offensive operator just got a 13× lift in a year on a benchmark that did not exist last spring. The defender side did not get a 13× lift in a year. That is the gap that is supposed to make people uncomfortable.

What to watch

1. Whether anyone replicates the chain on a hardened network. Palisade's testbed is rigged. The next paper that matters is one where the targets have egress filtering, a SOC, and no pre-planted credentials. If Mythos or Opus 4.7 hits even 20% on a real-shaped network, the soft-jelly qualifier shifts from "this isn't a threat" to "this is a runway."
2. What Anthropic and OpenAI publish in response. Both labs ran capability evaluations on these models before release. Both have public usage policies that prohibit self-exfiltration. Neither has published a per-model self-replication number. Palisade just made it cheaper to ask. The first frontier lab to publish its own internal score on this benchmark — or a statement that it ran the eval and got X — sets the standard. The second one, by silence, becomes the cautionary tale.
3. Whether the evals scene adopts the test. METR runs time-horizon benchmarks; Cybench runs CTF-style; AISI runs network ranges. Palisade's contribution is small enough to bolt onto any of them. If by August it shows up in METR or Cybench scoring, the field has decided this is part of the bar. If it doesn't, Palisade is on its own and the asymmetry persists.

The paper's title is "Language Models Can Autonomously Hack and Self-Replicate." The honest read is that they can do so in a controlled environment that is forgiving by design. The interesting read is that the controlled environment used to be much harder, the model used to be much worse, and the researchers got from one to the other in twelve months without a single new training run on their side.