What happened
Microsoft Defender Security Research Team disclosed AutoJack on June 18, 2026 — a three-vulnerability exploit chain in AutoGen Studio (Microsoft Research's agentic prototyping UI) allowing untrusted web content rendered by a browsing agent to reach local MCP WebSocket and spawn arbitrary processes on the host. Attack crosses localhost trust boundary without authentication.
Why it matters
Demonstrates systemic risk in agentic AI frameworks: agents with web-browsing and privileged local-tool access create RCE surface. Highlights that localhost is no longer a trust boundary once agents access both open web and local services. Affects developers using AutoGen Studio in production-like environments.
Applicability
Developers and ML engineers using AutoGen Studio; organizations deploying browsing agents with local tool integration. Immediate remediation guidance: isolate agents from privileged local services.