Microsoft researchers described AutoJack, an exploit chain that can turn an AI browsing agent into a remote code execution path by abusing AutoGen Studio’s MCP WebSocket surface. The issue affected only pre-release builds 0.4.3.dev1 and 0.4.3.dev2, while the stable PyPI release 0.4.2.2 was not exposed; the fix is in GitHub main at commit b047730. #AutoJack #AutoGenStudio #Microsoft #AutoGen #b047730
Keypoints
- AutoJack uses an AI browsing agent to load an attacker-controlled page and trigger code execution.
- The attack targets AutoGen Studio’s MCP WebSocket route in pre-release versions 0.4.3.dev1 and 0.4.3.dev2.
- The chain relies on a localhost trust check, missing authentication, and command execution from a request parameter.
- Microsoft says the issue was reported through MSRC and has been hardened in commit b047730 on GitHub main.
- Mitigations include avoiding shared hosts for browsing agents and AutoGen Studio, or isolating them in containers or VMs.
Read More: https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html