Microsoft fixed a vulnerability chain called AutoJack in AutoGen Studio that could let attackers execute arbitrary commands on a developer’s machine. The attack vector? Simply having an AI agent visit a malicious webpage.
AutoGen Studio is the GUI for Microsoft’s open-source multi-agent AI framework. It’s popular — 59,000 stars on GitHub, nearly 9,000 forks. Developers use it to prototype AI agents that browse the web, run code, and interact with external systems.
The chain exploited three weaknesses. First, the MCP WebSocket trusted localhost connections, so a browsing agent could be tricked into loading attacker-controlled JavaScript that appeared local. Second, authentication middleware skipped /api/mcp/* routes entirely. Third, the WebSocket accepted a base64-encoded parameter from the URL and passed it straight to process-launching code — meaning attackers could specify arbitrary PowerShell or Bash commands.
In Microsoft’s demo, the payload launched Calculator. In a real attack, it could’ve been anything running with the developer’s privileges.
Here’s the important caveat: this never shipped in a PyPI release. If you installed AutoGen Studio from pip, you’re fine. The vulnerability only existed in the GitHub main branch for a short window before commit b047730 hardened it.
Still, Microsoft’s advice is worth following regardless. Run AutoGen Studio in an isolated environment — a sandboxed profile or container, under a low-privilege account. Don’t let an agent that browses the web run on your daily-driver machine. That’s just good practice for any dev prototype.
