One web page just turned your AI agent into a root shell. Your CISO has no detection for this.

Microsoft just disclosed AutoJack.

A single malicious web page can hijack your AI browsing agent and execute arbitrary code on your developer's machine.

No credentials. No user click. No further interaction.

Here's how it works.

AutoGen Studio's AI agent browses a URL. That page runs JavaScript. The JavaScript opens a WebSocket to localhost. AutoGen Studio trusts it because it's from localhost. It executes whatever command the attacker sent.

Three weaknesses chained together. Origin check bypassed because the agent IS localhost. Auth middleware skipped MCP routes. Command parameters came straight from the URL with no allowlist.

Your developer's workstation just became the attacker's delivery vehicle.

This is not a theoretical risk. Microsoft mapped it to MITRE ATT&CK. The pattern is general. Any agent framework that can browse untrusted content AND reach local services has this exact same vulnerability class.

68% of organizations already can't tell AI agent actions from human actions in audit logs. 65% experienced an AI agent security incident last year. And the agents are getting more capable every week.

AutoJack was fixed in development before any PyPI release. But the PATTERN is everywhere. And most enterprises have no detection rules for agent-driven lateral movement.

Audit every agent that can browse the web. Isolate them from privileged local services. Stop treating localhost as a trust boundary.

SOURCE: https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/

VERIFIED: Microsoft Security Blog (June 18, 2026), The Hacker News (June 19, 2026), GBHackers (June 20, 2026)

SIGNAL: Every enterprise running AI agents with browsing capabilities is exposed to this attack class. Localhost is no longer a trust boundary when agents can render untrusted web content.