An AI agent visited one web page. That page took over the machine. AutoJack is the first AI agent drive-by.

Microsoft just disclosed AutoJack.

A single malicious web page hijacked an AI browsing agent and executed arbitrary code on the host machine.

No credentials. No login. No user interaction.

Three weaknesses chained together made this possible.

First, the browsing agent inherits localhost identity. The machine trusts it automatically.

Second, MCP WebSocket authentication is skipped for localhost connections.

Third, the agent accepts commands directly from the web page and executes them with full privileges.

Your AI agent visits a page. The page tells the agent to connect to the local MCP server. The server trusts it because it comes from localhost. The agent does whatever the page says.

This is not a theoretical attack. Microsoft's security team demonstrated it launching arbitrary processes on a developer's workstation.

AutoGen Studio has 59,000 GitHub stars. The vulnerability was fixed before PyPI release. But developers building from GitHub during the vulnerable window were exposed.

The real danger is not this specific bug. It is the architectural pattern.

Every AI agent that browses the web, calls APIs, or processes external content faces the same problem. The agent is local. Its instructions come from remote sources. The code it executes originates from external attackers.

Your security boundary is not your network perimeter anymore. It is every web page your agent visits.

Audit your AI agent deployments today. If any agent has web browsing capabilities, verify it runs in an isolated environment with no localhost trust. Restrict process execution permissions. Monitor network calls to approved domains only.

The localhost trust assumption is dead. Your security model needs to catch up.

SOURCE: https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/

VERIFIED: Microsoft Security Blog (June 19, 2026), BleepingComputer (June 22, 2026), Cloud Security Alliance Research Note (June 20, 2026)

SIGNAL: AutoJack breaks the fundamental localhost trust assumption that underpins every developer tool and AI agent framework. Any enterprise deploying AI agents with web browsing capabilities now faces a new attack class that traditional network security cannot detect.