AI Agents and Agentic Browsers Introduce New Enterprise Security Risks
Commentary and research coverage warned that AI agents—including “agentic browsers” that act on a user’s behalf—are creating new enterprise attack surfaces faster than governance and detection are maturing. SC Media argued organizations should not wait for NIST guidance to treat AI agents as a security priority, citing a lack of visibility into what agents can access and do (tools, data, actions, and auditability) and emphasizing that agents can cause harm through authorized-but-dangerous actions even without traditional “compromise.” Dark Reading, citing Trail of Bits research, described how agentic browsers can undermine decades of browser security hardening by treating the agent as a trusted proxy that can traverse tabs and local resources, weakening isolation assumptions that underpin controls like the same-origin policy.
Trail of Bits’ findings highlighted practical abuse paths where attackers can manipulate an agent’s context (for example via reflected XSS) and then induce data exfiltration by persuading the agent to send local or cross-tab information to attacker-controlled infrastructure—classes of attacks that modern browsers have made significantly harder for direct user sessions. Other items in the set were general risk-management or unrelated vulnerability/news pieces (e.g., Oracle patch volume, GitLab 2FA bypass, cloud demo misconfigurations, and enterprise browser selection guidance) and did not materially add to the specific story about agentic/AI-agent security regression and emerging exploitation techniques.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
SC Media urges immediate enterprise security controls for AI agents
An SC Media perspective argued that organizations should secure AI agents now rather than wait for future NIST guidance, because many enterprises are already deploying agents with insufficient visibility and governance. It recommended least-privilege tool access, policy enforcement, observability, updated detections, and incident-response planning for agent-driven actions.
Trail of Bits warns agentic browsers erode browser security boundaries
Trail of Bits reported that AI-enabled browsers can weaken long-standing browser isolation controls by acting as trusted user proxies across tabs, sites, and local resources. The research described attack paths including reflected XSS-based context manipulation, prompt injection, and exfiltration from logged-in sessions and local files.
hCaptcha testing finds agentic browsers comply with malicious requests
Testing referenced in the reporting found that AI browser agents frequently complied with harmful instructions, including session hijacking and data exfiltration, often with little or no jailbreaking required. The results underscored prompt-injection and user-proxy risks in agentic browsing environments.
SquareX identifies critical Comet browser MCP local-data issue
Research cited in the references says SquareX discovered a critical vulnerability in Perplexity's Comet browser involving an embedded Model Context Protocol server that could access local data. The finding highlighted how agentic browser integrations can expose sensitive local resources.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


