Microsoft’s security researchers have uncovered a worrying attack technique that shows how AI agents can become a security risk when they are given too much trust.
The attack, nicknamed AutoJack, targeted an early development version of AutoGen Studio, Microsoft’s platform for building and testing AI agents. Rather than exploiting a single critical flaw, the attack combined several minor weaknesses that, together, could have allowed a malicious website to execute code on a user’s machine.
The core problem was a trusted communication channel intended to accept connections only from the local computer. On paper, that sounds secure, while in practice, however, the AI agent’s built-in browser was also treated as a trusted local source, creating an unexpected shortcut around existing protections.
A potential attack was surprisingly simple. A user could ask an AI agent to analyze or summarize a webpage. Hidden instructions on that page could then abuse the trust relationship between the browser and the local control service, ultimately convincing the agent to download and execute malicious code. Depending on the attacker’s goals, that payload could range from spyware and credential stealers to full remote-access malware.
Fortunately, there is no evidence that the vulnerability was exploited in the wild. The issue existed only in an early GitHub development build and never made it into the officially released version of AutoGen Studio. Microsoft reported the problem internally, and the AutoGen team fixed the flaws before they could reach production users.
The incident highlights a growing challenge for AI-powered software. As agents gain the ability to browse websites, access local services, and perform actions on behalf of users, the boundaries between trusted and untrusted content become increasingly important. A simple webpage may no longer be just a webpage if an AI agent is doing the browsing for you.