AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
Summary
Microsoft researchers discovered AutoJack, an exploit that lets a malicious web page hijack an AI browsing agent to run commands on the host computer through weaknesses in AutoGen Studio's MCP (Model Context Protocol, a system for agents to call external tools) WebSocket handler. The attack requires no credentials or user interaction beyond the agent loading the attacker's page, and affects only users who installed pre-release versions 0.4.3.dev1 or 0.4.3.dev2 from PyPI, not the stable release.
Solution / Mitigation
Pull from GitHub main at or after commit b047730. Until a patched PyPI release is available, do not run AutoGen Studio on the same machine as a browsing or code-execution agent that touches untrusted content. If they must run together, isolate them in separate containers or VMs and run AutoGen Studio under a low-privilege account.
Classification
Affected Vendors
Related Issues
CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman
CVE-2026-40087: LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-str
Original source: https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html
First tracked: June 19, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%