Microsoft Defender’s AutoJack: one webpage RCEs the AI agent host
Microsoft Defender’s AutoJack: one webpage RCEs the AI agent host
AI Sec News Weekly #14 — 188 sources scanned
We’re great at isolating code. We’re terrible at isolating capabilities. Once a system can click, fetch, and run on our behalf, every input becomes a potential proxy for our keys. That’s the old confused‑deputy story wearing a new UI.
In the agent era, origin boundaries don’t help. The graph of tools is the boundary. The real question isn’t “did the model behave,” it’s “whose authority did it just project?” One team found out the hard way this week. The takeaway for us: model safety without capability hygiene is theater. So what would a same‑capability policy look like? And how would we debug it when the prompt is innocent and the tools aren’t?
This Week's Stories
AutoJack: single web page can RCE an AI agent host
Microsoft Defender Security Research Team details AutoJack, where content on one webpage coerces a browsing AI agent into using its own tools to execute code on the underlying machine. The write‑up traces the path from HTML to OS‑level actions with a working PoC—no browser CVE, just agent toolchain abuse.
Why it matters: Browsing-capable agents collapse the distance between untrusted HTML and your shell, turning every link into an execution boundary.
Microsoft Security Blog by Microsoft Defender Security Research Team
Forgotten Contributor Account Compromises Entire Mastra npm Package Scope
An attacker hijacked a dormant former contributor account whose publish access to the @mastra npm scope had never been revoked, then republished 143 packages with a single injected dependency: easy-day-js. The package initially appeared as a legitimate Day.js clone, but a subsequent version introduced a malicious postinstall hook that disabled TLS verification, downloaded a second-stage payload from attacker-controlled infrastructure, and deployed a cross-platform cryptocurrency stealer and remote access trojan. The compromise affected virtually the entire @mastra scope, including @mastra/core, which receives millions of monthly downloads.
Why it matters: A stale maintainer permission became a supply chain entry point, showing how forgotten contributor access can enable attackers to compromise an entire package ecosystem without modifying the source code itself.
Snyk Blog by Liran Tal and Marian Corneci
Tool Spotlight
New repos and releases worth trying.
Augustus ships a production-grade LLM adversarial scanner in Go
Praetorian’s Augustus is a single Go binary that batters models with 210+ probes across jailbreaks, prompt injection, agent attacks, format exploits, and data extraction. It integrates with 28 providers, runs concurrent scans with rate limits/retries, and emits table/JSON/JSONL/HTML. 90+ detectors (incl. HarmJudge) plus ‘buff’ transforms (Base64, ROT13, translation, poetry) stress responses. Use case: probe an Ollama‑hosted model for Markdown injection and key leakage.
Why it matters: Repeatable adversarial runs across many backends make LLM security claims falsifiable.
MosaicLeaks tests whether research agents leak via web queries
MosaicLeaks is a Hugging Face benchmark of 1,001 multi‑hop research chains mixing private docs with web retrieval to study query‑log leakage. It scores Intent, Answer, and Full‑Information leakage when an observer sees only the agent’s searches. A leakage‑aware RL method (PA‑DR) raised strict‑chain success from 48.7% to 58.7% and cut answer/full‑info leakage from 34.0% to 9.9%. Use case: evaluate a wiki‑backed research agent that also hits the web.
Why it matters: Outbound search is an inference channel, so “keep the docs local” doesn’t guarantee privacy.
Hugging Face Blog by Alexander Gurung
AWS Continuum previews model‑driven code vuln triage and remediation
AWS announced Continuum for code vulnerabilities (gated preview), a model‑agnostic system that reasons over your AWS environment and org context to drive findings to closure. It ingests your backlog, scans anew, then prioritizes, validates, and mitigates in continuous phases. Validation includes constructing working exploit examples in a sandbox with evidence‑backed prioritization. Use case: rank a repo’s vuln by production reachability and attach a runnable PoC.
Why it matters: Triage that arrives with runnable exploits shifts the hard problem from finding bugs to deciding how much autonomy to hand security automation.
Community Chatter
What practitioners are debating.
Shadow AI Debate: DLP Panic Fades, Identity Sprawl Takes Center
Practitioners rallied around Token Security + Cloud Security Alliance’s claim that 'shadow AI' now means who agents can act as, not what users paste. The piece shows MCP servers, browser extensions, and SaaS helpers wiring agents into Salesforce, Snowflake, and GitHub with inherited, creator‑level creds; one example reads logs, edits configs, opens tickets, and triggers pipelines under one token. DLP die‑hards said leaks still matter, but even they called zombie service accounts and unexpired scopes the nastier failure.
Why it matters: When agent identities aren’t owned, experimentation and production blur, and a throwaway script can wield lasting change authority.
Elastic pitches hybrid agent memory with DLS; devs split on safety
Elastic’s blog touts 'agent memory' backed by hybrid dense+BM25 retrieval and Elasticsearch Document‑Level Security to fence per‑user notes. In the Lobsters thread, search veterans called DLS proven for multi‑tenant RAG, while ML folks worried embeddings, logs, or summarization caches can echo private data outside DLS. Others argued query‑time ACLs don’t help if an agent’s token is mis‑scoped or shared.
Why it matters: Treating retrieval ACLs as the safety line moves memory privacy from the model to the index — one misbound identity turns 'my notes' into everybody's.
Quick Hits
- JetBrains plugins caught stealing developers' AI API keys (JetBrains) — 15 JetBrains IDE plugins were found stealing AI API keys from settings, exfiltrating to 39.107.60[.]51, about 70k installs since Oct 2025.
- One-click Copilot bug exposed emails, files, MFA codes (The Hacker News) — CVE-2026-42824 let one-click hijack Microsoft 365 Copilot Enterprise Search to steal emails, files, and MFA codes via prompt injection, a sanitizer race, and Bing SSRF, now patched.
- UK faces backlash over AI age checks for asylum (The Register Security) — Rights groups say the UK Home Office's planned AI facial age checker for asylum cases is biased and inaccurate, with about +/-2.5-year errors near ages 16-18 and rollout set for 2027.
- Spyware plants 'forbidden' text to evade AI analysis (Schneier on Security) — Researchers spot spyware stuffing policy-triggering 'forbidden' text in JavaScript comments to trip up AI-based analysis tools.
- White House, Anthropic discuss setting AI security rules (Bluesky (@politico.com)) — Politico reports White House talks with Anthropic have shifted to setting AI security rules after the Fable/Mythos suspension.