Research: the AI agent and toolchain control plane became a concrete attack-surface class this week

The week's single most important research synthesis is that the AI developer toolchain — gateways, agents, IDE plugins and the Model Context Protocol — stopped being a theoretical risk and accumulated a cluster of working exploit chains. Microsoft's AutoJack showed a single malicious web page can drive host-level RCE through an AI browsing agent's local MCP WebSocket: a three-flaw chain in AutoGen Studio (origin-allowlist bypass, missing auth on /api/mcp/*, and OS command injection via StdioServerParams) lets an attacker-steered agent reach a privileged localhost socket and execute arbitrary host processes (Microsoft Security, 2026-06-18; daily 06-20). That sits alongside the week's other AI-surface disclosures: Obsidian Security's three-CVE LiteLLM chain turning any gateway user into root (Obsidian, 2026-06-16; daily 06-16), Varonis "SearchLeak" one-click M365 Copilot data exfiltration (CVE-2026-42824) (Varonis; daily 06-16), Unit 42's "Pickle in the Middle" cross-tenant code execution in Google Vertex AI (CVE-2026-2473) (Unit 42; daily 06-17), and 15 malicious JetBrains Marketplace plugins exfiltrating AI-provider API keys (Aikido; daily 06-18). Sophos X-Ops' underground-AI report (daily 06-19) confirms criminal interest in exactly these agent frameworks. The defender takeaway for CH/EU public-sector teams adopting AI tooling: treat self-hosted AI gateways and agent frameworks as internet-adjacent application servers — bind MCP/agent sockets to loopback behind a host firewall, run them under low-privilege isolated accounts, never on shared or production hosts, and rotate the API keys and cloud credentials these tools concentrate.