Microsoft’s AutoJack research shows how a malicious webpage rendered by an AI browsing agent can reach local MCP services and execute arbitrary processes on the underlying system.