• Negative impacts of UPF scaremongering: Clients, colleagues, and public report distress from fear-based messaging on ultra-processed foods.
• UPF definition challenges: Ultra-processed foods lack clear definition; high intake correlates with poor health but evidence has limitations.
• Processing benefits: Food processing offers nutritional advantages; home cooking not always superior or feasible.
• Disordered eating prevalence: Affects 22% of UK youth, 31% adults; global orthorexia at 27.5%; eating disorders impact 1.25 million in UK, rising yearly.
• Triggers from UPF messaging: Leads to label obsession, anxiety, restriction, binge cycles, and moral framing of foods.
• Research links: Clean eating messages associated with disordered eating; UPF discourse mirrors past trends; public reports confusion and stress.
• Vulnerable populations: Youth and those with eating history at higher risk; anecdotes include relapses, parental shame, reliance on UPFs.
• Recommended approach: Prioritize nuanced messaging for health without demonization to support sustainable food relationships.

As a Registered Dietitian Specialising in Disordered Eating, I have spoken to so many clients, colleagues and members of the public who have seen or experienced negative impacts due to the current scaremongering about ultra-processed foods (UPFs). 

You can check out my previous article for a deep dive into UPFs and the evidence around them. In short, UPFs are hard to clearly define. While a high intake is linked with poorer health, the evidence base has significant limitations. Level of processing doesn’t automatically determine a food’s nutritional value, processing has nutritional benefits too, and cooking from scratch isn’t always better or realistic for everyone.

Disordered eating refers to a wide range of unhealthy attitudes and behaviours around food that fall short of a formal eating disorder diagnosis, but can still cause significant distress and harm. It includes patterns such as rigid food rules, obsessive calorie or ingredient checking, chronic dieting, guilt or shame after eating, restriction and rebound bingeing, and compulsive exercise.

Disordered eating is common, and it often goes unrecognised. In the UK, 22% of children and adolescents and 31% of adults show signs of disordered eating. On a global scale, a meta-analysis of over 30,000 people across 18 countries found that around 27.5% displayed symptoms of orthorexia nervosa – an unhealthy fixation on eating “pure” or “healthy” foods. And these figures could well be an underestimation, as disordered eating is difficult to define and measure, and many behaviours are so normalised within diet culture that people may not even identify them as problematic.

Eating disorders sit at the more severe end of this spectrum. In the UK, around 1.25 million people have an eating disorder, and the prevalence is increasing by roughly 7% each year. Binge-eating disorder is the most common type of eating disorder – affecting 1 in 50 people, with 40% of those affected being male. Anorexia nervosa has the highest mortality rate of any psychiatric disorder, underlining the seriousness of these conditions.

Fear-based messages about UPFs can lead to label obsession, heightened anxiety, unnecessary restriction, and cycles of bingeing after deprivation. For those already prone to disordered eating, or living with an eating disorder, the current discourse around UPFs can provide a socially acceptable way to justify restriction. 

When foods are framed in moral terms (processed = bad, unprocessed/whole foods = good), it reinforces black-and-white thinking and catastrophising, fuelling shame and eroding trust in our own body cues. The fact that anti-UPF messages are often shared by seemingly authoritative figures, including doctors who lack nutrition training or qualifications, can make them especially insidious and triggering.

Unfortunately, not many studies have specifically looked into how messages about UPFs can impact our relationship with food. However, a study from 2019 did find that messages about “clean eating” and “natural” food was linked to disordered eating and orthorexia. There’s a good case to be made that the clean-eating craze from the 2010s has evolved into today’s UPF panic – the language and people promoting it have shifted, but the underlying fear, rigidity and moral framing is so similar. 

A typical snack selection in a small UK shop. By Alan Pope on Unsplash.

A UK Sciencewise report from 2024 also found that public dialogue around UPFs has led to confusion, stress, and anxiety about everyday foods.

Certain groups appear particularly vulnerable. Young people, and those with a current or past history of disordered eating, are most at risk of internalising fear-based messages about UPFs. For them, advice framed in this way can easily trigger rigid food rules and cycles of guilt, anxiety, and disconnection from intuitive eating.

On a more anecdotal level, I’ve had numerous conversations and messages from people whose relationship with food has suffered as a result of UPF anxiety. People have told me that fear of UPFs have led to a relapse of their eating disorder. Parents described how they feel ashamed or paralysed when trying to feed children with additional needs such as allergies or selective eating. And many people have told me how they simply couldn’t feed themselves and their families without UPFs, and they now feel so much shame for this. 

Some argue that concerns about disordered eating represent only a “minority issue,” and that public health messaging should focus on discouraging UPF consumption for the greater good. But this overlooks the scale of the problem. Disordered eating affects at least a third of the population (and likely more) – and the numbers are rising. It can affect anyone, at any life stage, and in severe cases may develop into a clinical eating disorder with potentially life-threatening consequences. Even if the numbers were lower, the seriousness of disordered eating and eating disorders make prevention a clear public health priority.

We also can’t even clearly define UPFs, and the evidence for avoiding or significantly reducing UPF consumption is weak, with numerous limitations. Furthermore, there are benefits to processing and UPFs can absolutely be included within a balanced, nutritious and sustainable diet (see my previous article for more information about this).

Importantly, we can still prioritise health and good nutrition without demonising, fearmongering or increasing the risk of disordered eating. We’ve seen time and time again that simply labelling certain foods as “bad” or “to be avoided” doesn’t lead to public health improvements.  A more effective path lies in balanced, nuanced messaging that supports both physical and mental wellbeing, and helps people build a realistic, sustainable and positive relationship with food.

• Qwen3-VL context window: Processes two-hour videos or hundreds of document pages within 256,000 tokens.
• Needle-in-haystack test: 100% accuracy on 30-minute videos, 99.5% on two-hour videos with one million tokens.
• Visual math benchmarks: 85.8% on MathVista, 74.6% on MathVision, surpassing GPT-5 and Gemini 2.5 Pro.
• Document and OCR performance: 96.5% on DocVQA, 875 on OCRBench across 39 languages with over 70% accuracy in 32.
• Specialized tasks: 61.8% on ScreenSpot Pro GUI, 63.7% on AndroidWorld, 56.2% on long docs, up to 90.5% on chart description.
• Areas of lower performance: 69.3% on MMMU-Pro behind GPT-5's 78.4%, trails in video QA benchmarks.
• Architectural upgrades: Interleaved MRoPE, DeepStack for multi-level vision, text timestamps for video timing.
• Training and release: One trillion tokens on 10,000 GPUs, open weights under Apache 2.0 from 2B to 235B-A22B on Hugging Face.

AI research

Nov 28, 2025Nov 28, 2025

Jonathan Kemper

Qwen3-VL can scan two-hour videos and pinpoint nearly every detail

Alibaba

Jonathan Kemper

Jonathan writes for THE DECODER about how AI tools can improve both work and creative projects.

Profile

E-Mail

Content

Share article

A few months after launching Qwen3-VL, Alibaba has released a detailed technical report on the open multimodal model. The data shows the system excels at image-based math tasks and can analyze hours of video footage.

The system handles massive data loads, processing two-hour videos or hundreds of document pages within a 256,000-token context window.

In "needle-in-a-haystack" tests, the flagship 235-billion-parameter model located individual frames in 30-minute videos with 100 percent accuracy. Even in two-hour videos containing roughly one million tokens, accuracy held at 99.5 percent. The test works by inserting a semantically important "needle" frame at random positions in long videos, which the system must then find and analyze.

The needle-in-a-haystack test measures the model's ability to locate specific frames in long videos. | Image: Alibaba

Share

Recommend our article

In published benchmarks, the Qwen3-VL-235B-A22B model often beats Gemini 2.5 Pro, OpenAI GPT-5, and Claude Opus 4.1 - even when competitors use reasoning features or high thinking budgets. The model dominates visual math tasks, scoring 85.8 percent on MathVista compared to GPT-5's 81.3 percent. On MathVision, it leads with 74.6 percent, ahead of Gemini 2.5 Pro (73.3 percent) and GPT-5 (65.8 percent).

Gemini's older 2.5 Pro model maintains a slight lead in general image understanding. | Image: Alibaba

The model also shows range in specialized benchmarks. It scored 96.5 percent on the DocVQA document comprehension test and 875 points on OCRBench, supporting 39 languages - nearly four times as many as its predecessor.

Qwen3-VL achieves over 70 percent accuracy on OCR tasks in 32 of the 39 supported languages. | Image: Alibaba

Alibaba claims the system demonstrates new capabilities in GUI agent tasks. It achieved 61.8 percent accuracy on ScreenSpot Pro, which tests navigation in graphical user interfaces. On AndroidWorld, where the system must independently operate Android apps, Qwen3-VL-32B hit 63.7 percent.

The model handles complex, multi-page PDF documents as well. It scored 56.2 percent on MMLongBench-Doc for long document analysis. On the CharXiv benchmark for scientific charts, it reached 90.5 percent on description tasks and 66.2 percent on complex reasoning questions.

It is not a clean sweep, however. In the complex MMMU-Pro test, Qwen3-VL scored 69.3 percent, trailing GPT-5's 78.4 percent. Commercial competitors also generally lead in video QA benchmarks. The data suggests Qwen3-VL is a specialist in visual math and documents, but still lags in general reasoning.

Key technical advances for multimodal AI

The technical report outlines three main architectural upgrades. First, "interleaved MRoPE" replaces the previous position embedding method. Instead of grouping mathematical representations by dimension (time, horizontal, vertical), the new approach distributes them evenly across all available mathematical areas. This change aims to boost performance on long videos.

Recommendation

AI research

OpenAI outperforms humans and Google at the world's top collegiate programming contest

Qwen3-VL combines a vision encoder and language model to process text, images, and videos simultaneously. DeepStack uses visual information from different processing levels. | Image: Alibaba

Second, DeepStack technology allows the model to access intermediate results from the vision encoder, not just the final output. This gives the system access to visual information at different levels of detail.

Third, a text-based timestamp system replaces the complex T-RoPE method found in Qwen2.5-VL. Instead of assigning a mathematical time position to every video frame, the system now inserts simple text markers like "<3.8 seconds>" directly into the input. This simplifies the process and improves the model's grasp of time-based video tasks.

Training at scale with one trillion tokens

Alibaba trained the model in four phases on up to 10,000 GPUs. After learning to link images and text, the system underwent full multimodal training on about one trillion tokens. Data sources included web scrapes, 3 million PDFs from Common Crawl, and over 60 million STEM tasks.

In later phases, the team gradually expanded the context window from 8,000 to 32,000 and finally to 262,000 tokens. The "Thinking" variants received specific chain-of-thought training, allowing them to explicitly map out reasoning steps for better results on complex problems.

Open weights under Apache 2.0

All Qwen3-VL models released since September are available under the Apache 2.0 license with open weights on Hugging Face. The lineup includes dense variants ranging from 2B to 32B parameters, as well as mixture-of-experts models: the 30B-A3B and the massive 235B-A22B.

While features like extracting frames from long videos aren't new - Google's Gemini 1.5 Pro handled this in early 2024 - Qwen3-VL offers competitive performance in an open package. With the previous Qwen2.5-VL already common in research, the new model is likely to drive further open-source development.

Share

You have read 2 of our articles this month. Thank you for your interest!

Support our independent, free-access reporting. Any contribution helps and secures our future. Support now:

Bank transfer

Summary

• Alibaba's Qwen3-VL, launched in September, outperforms GPT-5 and Gemini 2.5 Pro on benchmarks that require solving math questions using images, analyzing videos, and understanding documents.
• The latest technical report highlights that Qwen3-VL can process very long videos and large amounts of text at the same time, accurately identify video frames, and recognize text in 39 languages.
• The model was trained on a trillion text and image samples using 10,000 GPUs, is openly available.

Sources

Arxiv

Jonathan Kemper

Jonathan writes for THE DECODER about how AI tools can improve both work and creative projects.

Profile

E-Mail

Share

AI in practice

Oct 4, 2025Oct 4, 2025

Alibaba releases Qwen3 compact open source multimodal models

News, tests and reports about VR, AR and MIXED Reality.

What happens next with MIXED My personal farewell to MIXED Meta and Anduril are now jointly developing XR headsets for the US military [MIXED-NEWS.com](https://mixed-news.com/en/ target=)

AI in practice

Sep 23, 2025Sep 23, 2025

Alibaba's Qwen introduces new models for voice, image editing and safety

Google News

Join our community

Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.

• Federal judge dismissal: District Judge Cameron McGowan Currie tossed accusations against James B. Comey and Letitia James.
• Appointment invalidity: Judge ruled Attorney General’s installation of Lindsey Halligan as Interim U.S. Attorney for Eastern District of Virginia invalid.
• Presidential nomination: President Donald Trump named Halligan to fill U.S. attorney vacancy due to Senate delays.
• Allegations persist: Ruling neither absolves Comey of potential lying to Congress nor clears James of alleged mortgage fraud.
• Refiling option: Attorney General Pam Bondi can assign special attorney to refile indictments within six months.
• Other judicial blocks: Judges rejected Alina Habba in New Jersey, Sigal Chattah in Nevada, and John Sarcone in upstate New York.
• Constitutional authority: Constitution entrusts president with selecting senior officers, including recess appointments amid Senate delays.
• Recommended action: Bondi urged to use Senate-confirmed attorney to restore charges against Comey and James.

OPINION:

Unforced errors by Justice Department officials could allow James B. Comey and Letitia James to escape accountability for their actions. For now. 

On Monday, a federal judge tossed the accusations against the former FBI director and the New York attorney general, asserting the judiciary had veto power over President Donald Trump’s choice of U.S. attorney.

“I agree with Mr. Comey that the Attorney General’s attempt to install Ms. [Lindsey] Halligan as Interim U.S. Attorney for the Eastern District of Virginia was invalid,” wrote District Judge Cameron McGowan Currie.

The president named Ms. Halligan, a lawyer who had earned his trust, to fill the U.S. attorney vacancy in Virginia. Senate dawdling has left her and many other critical presidential nominees hanging. The silver lining in the judge’s technical, and dubious, ruling is that it neither absolves Mr. Comey of culpability for potentially lying to Congress, nor does it clear Ms. James of her alleged mortgage fraud.

Attorney General Pam Bondi is free to assign a special attorney to take over and refile the indictments within the next 6 months. That’s exactly what she should have done from the start. Sending a conventionally appointed attorney to assist Ms. Halligan in presenting these cases to the grand jury would have avoided this unnecessary spectacle.

It should have been obvious that wily Democrats would advance every possible objection, knowing an ideologically allied court would be eager for an excuse — any excuse will do — to exonerate these resistance heroes. Nothing Ms. Halligan could have done would have altered the outcome.

In August, District Judge Matthew W. Brann, an appointee of President Barack Obama, rejected the president’s selection, Alina Habba, to serve as U.S. attorney in New Jersey. Judge David G. Campbell, an appointee of President George W. Bush, refused Sigal Chattah as U.S. attorney in Nevada. A cabal of federal judges in upstate New York nixed John Sarcone as interim U.S. attorney.

The legitimacy of Ms. Habba’s appointment was argued before the Third Circuit U.S. Court of Appeals in October, and there’s no guarantee that the administration’s stance will be upheld. For that to happen, judges would have to agree to cede a power they very much enjoy having back to the executive where it belongs.

Which makes one wonder why Ms. Halligan was ever put in this untenable position. It should have been obvious that a sabotage tactic used with success in four other jurisdictions would also be employed in two of the highest-profile cases the department has right now. Undoubtedly, many career staffers within the Robert F. Kennedy Building are silently cheering this failure.

The Constitution entrusts responsibility for selecting the most senior officers of the United States to the president, subject to the advice and consent of the Senate. It also recognizes the White House’s need to make unilateral recess appointments to keep offices staffed when the upper chamber drags its feet. Ms. Halligan’s appointment raises no constitutional red flags.

Congress granted the unelected branch a limited authority over personnel outside the judicial branch, which Judge Currie and her colleagues are exploiting. Whether this delegation is legitimate is a question the Supreme Court will have to resolve.

Until then, Ms. Bondi should show she’s serious about securing justice in Virginia by having an undisputed, Senate-confirmed attorney restore the charges against Mr. Comey and Ms. James. Perhaps Ms. Bondi could argue the case herself.

Copyright © 2025 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.

• Personal Habit: The text describes a long-standing individual routine of afternoon napping used to combat post-lunch fatigue, a behavior socially recognized by peers.
• Caffeine Nap Definition: A strategy known as a "nappuccino" involves consuming a caffeinated beverage immediately before taking a short power nap.
• Adenosine Function: Sleep regulation is linked to the organic compound adenosine, which accumulates in the brain during wakefulness and decreases during sleep.
• Receptor Competition: Caffeine promotes alertness by binding to the same receptors as adenosine, effectively blocking the sleep-inducing compound from attaching.
• Hypothetical Mechanism: The strategy relies on the 15 to 60-minute window it takes for caffeine to take effect, theoretically allowing a nap to reduce adenosine levels before the caffeine binds to the freed receptors.
• Evidence Limitations: Scientific support for the specific mechanism of caffeine naps is described as lacking robust methodology, with one cited pilot study relying on a sample size of only six participants.
• Conflicting Guidelines: Research regarding the optimal timing for caffeine intake is inconsistent, with some sources suggesting a delay after waking while others claim no difference.
• Unproven Efficacy: The text concludes that the effectiveness of caffeine naps is not definitively known, speculating that perceived benefits may result from the placebo effect.

If there’s one thing to know about me, it’s that I never quite outgrew the afternoon nap phase we all went through as kids. Among my friends, napping was (and still is) considered to be my “thing." From my friends creating a photo album of me dozing in the library to getting me a pajama set for my birthday, it’s been a hard reputation to shake. As someone who consistently gets slammed with the strong yearn to catch some post-lunch Zzz’s, the caffeine nap strategy is one I find fascinating.

For those who are not as well versed in napping strategies, a caffeine nap – a.k.a. the nappuccino - is when you take a power nap immediately after consuming a caffeinated beverage. Of course, this method sounds incredibly counterintuitive, but there may be something to this napping method. In my lifetime, I have taken a handful of caffeine naps, and I must admit that I have felt more refreshed after doing so. But why? Is it just placebo, or is this an untapped gold mine for my fellow sleepyheads? To begin to understand this mystery, let’s look at the function of the organic compound, adenosine.

While to us, sleep may feel like a very simple state, brain on, brain off, it is in fact a complex process carried out by many systems within our bodies. So, while this article will mainly focus on the role of adenosine receptors in regulating sleep, just know that this is only one aspect of what goes on when we are in dreamland. The Adenosine Sleep Theory was conceived of by researcher Miodrag Radulovacki in 1985_._ This hypothesis was developed using evidence in cats and rats. Among these organisms, adenosine levels increased during wakefulness and decreased during sleep. These preliminary findings inspired sleep research in humans and continued animal research, which supported the hypothesis of adenosine playing a role in regulating sleep homeostasis.

A good way to conceptualize adenosine is to think of it as the currency through which our brains measure time being awake. Essentially, more adenosine builds up in our brains the more active and alert we are during the day. When we sleep, adenosine is recycled, and its levels in our brain are reduced. When there is less adenosine receptor stimulation, we feel more awake. Conversely, the longer we are awake, the more adenosine we produce and therefore the more tired we are at the end of the day. When we introduce caffeine into the equation, things get a bit more dicey. Caffeine binds the same receptors as adenosine, effectively making it adenosine’s arch nemesis. Because caffeine, among its many other effects on the body, binds to adenosine receptors, it promotes alertness as adenosine has fewer open receptors to bind to.

This is where the caffeine nap comes in. When you drink a caffeinated beverage, depending on your age, weight, most recent meal, etc. it takes between 15 and 60 minutes for the effects to settle in. This is the window in which the nap-step of the two-step caffeine nap process occurs. Based on knowledge surrounding the impact of sleep on natural adenosine levels, it has been hypothesized that during the nap, adenosine levels decrease, which free adenosine receptors, allowing caffeine to bond in adenosine's place. The result of this is waking up from a nap both refreshed and caffeinated. That is why users may feel that these naps are more effective and leave them feeling much more awake than if they had just taken a 20-minute power nap.

While an interesting idea, this process lacks the necessary scientific evidence to support it. There have been few studies that look specifically at the mechanism of action behind caffeine naps, and the ones that do are not as methodologically robust as we would like them to be. For example, a 2020 pilot study found that individuals who took caffeine-naps during a lab-simulated night shift had less performance impairment than those in the placebo group (a regular nap with no caffeine). However, this study only included 6 participants, so the results should be interpreted with caution. Additionally, this study looked at more extreme instances of sleep deprivation, rather than your typical midday sleepiness.

This also begs the question of whether this method holds up first thing in the morning. Surely if you are to feel a boost of wakefulness after a caffeine nap, then wouldn’t this be a foolproof way to truly become a morning person? Not necessarily. The research in this domain is not only limited, but conflicting. Some proponents go as far as to say that caffeine should be avoided until at least 60 to 90 minutes after waking up, while others say that it makes no difference.

The moral of this story is that we don’t really know how effective caffeine naps are – if at all. But, hey, when it comes to getting reenergized in the middle of the day, maybe a placebo is all I need. Perhaps you can experiment with a friend who is also a fan of this method, but slip them a decaffeinated coffee rather than a caffeinated one...

@‌EvaKellner

Eva Kellner is a recent graduate from the Faculty of Arts and Science, with a major in Environment. Her research interests include urban green spaces, urban agriculture, and outdoor community spaces - all as promoters of climate resilience among city-dwellers.

Part of the OSS mandate is to foster science communication and critical thinking in our students and the public. We hope you enjoy these pieces from our Student Contributors and welcome any feedback you may have!

• Underground AI Market Growth: Cybercriminals access sophisticated markets for custom LLMs aiding low-level hacking tasks from major companies' legitimate purchases.
• Unit 42 Report Findings: Palo Alto Networks’ Unit 42 examines underground forums advertising and selling jailbroken and open-source AI tools for hacking or penetration testing.
• Sales Models: Tools offered via dark web subscriptions, yearly plans, or as malware-trained copies maintained by communities.
• Dual-Use Capabilities: Models assist in vulnerability scanning, data encryption, exfiltration, and code writing, benefiting hackers and defenders.
• Historical Parallels: Andy Piazza compares AI tools to Metasploit and Cobalt Strike, originally for good purposes but adopted by malicious actors.
• WormGPT Evolution: New WormGPT4 version reemerges with boundary-free LLM features, cheap subscriptions starting at $220 for lifetime access or source code.
• KawaiiGPT Accessibility: Free GitHub tool with quick Linux setup, casual interface, community of 500 developers updating its malicious functions.
• Impact on Hacking Barriers: Tools lower entry requirements by simplifying terminology and script generation, despite limitations like easily detectable malware code.

As legitimate businesses purchase AI tools from some of the largest companies in the world, cybercriminals are accessing  an increasingly sophisticated underground market for custom LLMs designed to  assist with lower-level hacking tasks.

In a report published Tuesday, Palo Alto Networks’ Unit 42 looked at how underground hacking forums advertise and sell custom, jailbroken, and open-source AI hacking tools. 

These programs are sold on dark web forums, advertised as either explicit hacking tools or dual-use penetration testing tools. Some offer monthly or yearly subscriptions, while others appear to be copies of commercial models trained on malware datasets and maintained by dedicated communities.

The models provide foundational capabilities around certain tasks that could be helpful to both hackers and cybersecurity defenders alike, like scanning for vulnerabilities in a network, encrypting data, exfiltrating data, or writing code. 

Andy Piazza, senior director of threat intelligence for Unit 42, told CyberScoop that as AI tools have improved, their dual use nature in cybersecurity has become clearer.

“You know, Metasploit is a good guy framework, and it can be used by bad guys,” said Piazza. “Cobalt Strike was developed by good guys and now unfortunately bad guys have cracked it and used it as well. And now we’re seeing the same thing with AI.”

The report highlights two recent examples.

Starting in September, a new version of WormGPT appeared on underground forums. The jailbroken LLM first emerged in 2023 before its developers went underground amid heightened scrutiny and media reporting. This year a newer version reemerged, advertised  as a hacking tool that would offer LLM capabilities “without boundaries.”

The original WormGPT claimed to be trained on malware datasets, exploit writeups, phishing templates, and other data meant to finetune its hacking assistance. The model and architecture behind the newer version (WormGPT4) remains unknown.

Unit 42 researchers said this updated version “marks an evolution from simple jailbroken models to commercialized, specialized tools to help facilitate cybercrime,” offering cheap monthly and annual subscriptions. Lifetime access costs as little as $220, with an option to purchase the full source code.

“WormGPT 4’s availability is driven by a clear commercial strategy, contrasting sharply with the often free, unreliable nature of simple jailbreaks,” the report noted. “The tool is highly accessible due to its easy-to-use platform and cheap subscription cost.”

Another model, KawaiiGPT, is free on GitHub with a lightweight setup that took “less than five minutes” to configure on Linux. It advertises itself as “Your Sadistic Cyber Pentesting Waifu.” 

While likely a copy of an open-source or older commercial AI model, it “represents an accessible, entry-level, yet functionally potent malicious LLM.” It uses a casual tone, greeting users, with comments like “Owo! Okay! Here you go….” while delivering malicious outputs.

“While its code for attack functions might be less complex than the more optimized PowerShell scripts generated by WormGPT 4, KawaiiGPT instantly provides the social and technical scaffolding for an attack,” the report claimed.

Like many open-source tools, KawaiiGPT also has a dedicated community of around 500 developers who update and tweak it to maintain effectiveness. 

Piazza has concerns about these AI tools’ availability and their impact on the cybercriminal ecosystem, but he joked they’re less about “AI lasers dropping malware in our networks” or other overhyped threats. 

The capabilities described in the report fall below those seen in recent incidents, like a hacking campaign identified by Anthropic that automated large portions of successful cyber attacks. Piazza noted real limitations with the models being sold on the underground market. For example, While LLMs may  generate malware faster, internal tests at Palo Alto Networks found that most of the code is easily detectable. 

The real danger, he said, is that the report confirms what cyber professionals have warned about since LLMs first emerged: their potential to make criminal hacking easier and less technical.

“It’s just that interoperability,” said Piazza.  You don’t even have to be good with the terminology. You don’t even have to use the word ‘lateral movement,’ when using these tools. You can just ask ‘How do I find other systems on the network?’ and it can drop you out a script. So that barrier to entry: lowering and lowering.”