The Web Page Couldn't Reach Localhost. Your Agent Carried It There.

You already do the hard part of this. You authenticate your production APIs. You treat anything from the public internet as hostile until proven otherwise. And after a year of prompt-injection write-ups, you already assume an agent can be steered by the text it reads.

There is one spot almost everyone exempts from those rules: localhost. The service bound to loopback gets a pass, because for twenty years "it only listens on localhost" meant "an outsider cannot reach it." Microsoft's AutoJack research, published June 18, is the moment that exemption stops being safe. Not because the rules changed, but because your agent quietly moved localhost onto the public internet. This is not a new threat model to learn. It is the one you already run, extended by one step to a place you used to be able to skip.

New here? Securing the Agentic Stack is a weekly operator read on where AI and security collide, mapped to one stable six-layer model. Start with the foundation, linked at the end of this issue.

What Microsoft actually found

AutoJack chained three weaknesses in a development build of AutoGen Studio's MCP WebSocket surface. Strip it to the bone and it is three trusted assumptions failing in a row.