AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution

Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page, and that page's JavaScript can reach a privileged local service on the same machine and spawn a process on the host. No credentials, no sign-in screen, and no further user interaction once

According to Microsoft’s write-up and coverage of the AutoJack exploit chain, a single malicious web page can cause an AI browsing agent using AutoGen Studio pre-release builds to contact a privileged localhost MCP WebSocket and trigger arbitrary process execution on the host, without credentials or further user interaction.[1][3][6] The attack relies on steering the agent (e.g., via a URL field or prompt injection) to load attacker-controlled content, which then abuses unauthenticated local control-plane endpoints to spawn host processes.[1][3] From a CyberSE.AI perspective, this is a canonical AI agent abuse scenario where tool-use and local control planes are insufficiently authenticated and isolated, implying that organizations must treat localhost as an attack surface, strictly authenticate all agent control planes, allowlist process execution and other dangerous tools, and use continuous AI red teaming to probe for similar chained weaknesses before deploying browsing or code-execution agents to untrusted environments.[1][3]