Microsoft researchers have disclosed ‘AutoJack’, an exploit chain that weaponises AI browsing agents to achieve remote code execution on the host machine. An attacker simply needs to lure the agent to a malicious web page; JavaScript on that page communicates with a privileged local service to spawn a process — requiring no credentials or user interaction beyond the initial navigation. This is significant because it demonstrates that AI agents, which often run with elevated local privileges, dramatically expand the attack surface of any machine they operate on.

Security Architect’s Take: Audit the local services and named pipes exposed by any AI agent frameworks deployed in your environment, and enforce strict network-level controls (e.g. localhost binding with allowlists) to prevent unauthorised cross-origin access. Consider sandboxing AI agents in isolated VMs or containers with minimal host privileges, and block agent navigation to untrusted or external URLs via policy until vendors issue patches.

Original advisory: AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution