AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code

AutoJack is a three-vulnerability exploit chain against AutoGen Studio's MCP WebSocket that allows a malicious page — when rendered by a locally running browsing agent — to open an authenticated-appearing websocket to localhost and pass a base64-encoded server_params payload that is decoded and executed, resulting in arbitrary code execution on the developer's machine. The upstream project patched the issues (commit b047730, version 0.7.2), the PyPI release was confirmed not to include the vulnerable MCP surface, and the report outlines mitigations such as authentication enforcement, parameter server-side storage, executable allowlisting, and identity isolation.