I woke up this morning to three security disclosures that should be setting off alarms in every boardroom and IT department.
First, Microsoft researchers published details on AutoJack on June 18, with the security community simultaneously documenting the parallel Agentjacking campaign. These aren’t theoretical vulnerabilities sitting in a research paper collecting dust. A planted URL in a browsing AI agent’s context executes arbitrary code on the host machine with zero credentials required. There is no user interaction needed beyond the agent navigating to a malicious page. The root cause is the localhost trust assumption baked directly into agentic architectures. Most teams assume localhost is safe because it’s inside the network perimeter. In an AI agent world, that assumption is now lethal. Initial exploit targets included AutoGen Studio MCP WebSocket via malicious webpage rendering. Every framework that lets agents browse, click links, or render HTML is potentially exposed.
The second story is FortiBleed. A Russian-speaking threat group leaked 86,644 FortiGate VPN credentials to the dark web as of June 19. That is not a typo. Eighty-six thousand six hundred and forty-four devices worldwide. Sixty-three percent came from default or built-in Fortinet system accounts that should have been disabled years ago. Thirty-five percent relied on generic admin logins that make forensic investigation impossible. Chevron, Samsung, AT&T, and Toyota are named in the dataset, confirming critical infrastructure exposure. CISA has already issued an advisory mandating immediate remediation for federal agencies. The fix is boring but essential: audit every FortiGate admin account, rotate all credentials, disable unused built-in system accounts, and implement multi-factor authentication on every VPN gateway. If you still have default passwords on any internet-facing system, assume it is already compromised.
Third, LLMjacking has evolved from a cost-drain nuisance into active offensive infrastructure. Sysdig research released June 17 confirmed stolen AI compute is now powering fully autonomous penetration testing frameworks. No human in the loop. Misconfigured, internet-exposed Ollama model servers are weaponized as attacker decision engines. The attack chain is terrifyingly efficient: service fingerprinting, vulnerability matching, web reconnaissance, proof-of-concept exploit generation, SQL injection crafting, privilege escalation. All automated. All run from stolen GPU credits. Self-hosted AI inference endpoints using Ollama, LocalAI, or vLLM are now potential command-and-control infrastructure. Treat them with the same security rigor you would apply to a traditional C2 server.
On the policy side, the White House issued NSPM-12 and CISA released BOD 26-04 in June 2026. These represent the first comprehensive federal AI security architecture directives since the revocation of EO 14110. Federal contractors, cloud providers, and critical infrastructure operators have 30 to 90 days to comply. The cascading effect will reach every enterprise that touches government data or systems.
What does this mean for your business? Here are three practical steps you can take this week.
Audit every AI agent deployment today. If your agent can browse the web, run code, or interact with MCP servers, enforce sandboxing, network isolation, and process separation immediately. Default credentials on any internet-facing system are no longer acceptable. Rotate them now. And if you are running self-hosted inference with Ollama, LocalAI, or vLLM, pull them behind zero-trust controls before the weekend.
The attackers are already using AI autonomously. Your defenses need to catch up.
Autonomous AI agents are the new perimeter, and most organizations haven’t drawn the fence yet. The gap between attacker automation and defender response is widening by the day.