On October 4, 2005, security researcher Samy Kamkar launched the Samy worm — the first self-replicating cross-site scripting (XSS) worm in history. The worm exploited an XSS vulnerability in MySpace user profiles, which attempted to filter JavaScript but could be bypassed by exploiting CSS attribute handling. The payload automatically added Samy Kamkar as a friend of any MySpace user who viewed an infected profile, and replicated the worm code to the viewer’s own profile — spreading exponentially. The worm also displayed the message ‘but most of all, samy is my hero’ on infected profiles. Within approximately 20 hours of launch, the worm had infected approximately 1 million MySpace users, making it one of the fastest-spreading pieces of malware ever at the time. MySpace was forced to take its site offline to contain the infection. Kamkar was visited by US Secret Service agents, had his computers seized, was charged under California Penal Code 502 (unauthorized computer access), and sentenced to three years’ probation. The Samy worm demonstrated that client-side web application vulnerabilities (XSS) could be exploited for automated, self-propagating attacks — a revelation that fundamentally advanced the field of web application security and the understanding of XSS as a high-severity vulnerability class.