News

At 3 a.m. during a red team exercise, we watched customer’s autonomous web agent cheerfully leak the CTO’s credentials - because a single malicious div tag on internal github issue page told it to. The agent ran on Browser Use, the open source framework that just collected a headline-grabbing $17 million seed round.

That 90-second proof-of-concept illustrates a larger threat: while venture money races to make large-language-model (LLM) agents “click” faster, their social, organizational, and technical trust boundaries remain an afterthought. Autonomous browsing agents now schedule travel, reconcile invoices, and read private inboxes, yet the industry treats security as a feature patch, not a design premise.

Our argument is simple: agentic systems that interpret and act on live web content must adopt a security-first architecture before their adoption outpaces our ability to contain failure.

Browser Use sits at the center of today’s agent explosion. In just a few months it has acquired more than 60,000 GitHub stars and a $17 million seed round led by Felicis with participation from Paul Graham and others, positioning itself as the “middleware layer” between LLMs and the live web.

Similar toolkits - HyperAgent, SurfGPT, AgentLoom - are shipping weekly plug-ins that promise friction-free automation of everything from expense approval to source-code review. Market researchers already count 82 % of large companies running at least one AI agent in production workflows and forecast 1.3 billion enterprise agent users by 2028.

But the same openness that fuels innovation also exposes a significant attack surface: DOM parsing, prompt templates, headless browsers, third-party APIs, and real-time user data intersect in unpredictable ways.

Our new study, "The Hidden Dangers of Browsing AI Agents" offers the first end-to-end threat model for browsing agents and provides actionable guidance for securing their deployment in real-world environments.

To address discovered threats, we propose a defense in depth strategy incorporating input sanitization, planner executor isolation, formal analyzers, and session safeguards. These measures protect against both initial access and post exploitation attack vectors.

Through white-box analysis of Browser Use, we demonstrate how untrusted web content can hijack agent behavior and lead to critical cybersecurity breaches. Our findings include prompt injection, domain validation bypass, and credential exfiltration, evidenced by a disclosed CVE and a working proof of concept exploit - all without tripping today’s LLM safety filters.

Among the findings:

1. Prompt-injection pivoting. A single off-screen element injected a “system” instruction that forced the agent to email its session storage to an attacker.

2. Domain-validation bypass. Browser Use’s heuristic URL checker failed on unicode homographs, letting adversaries smuggle commands from look-alike domains.

3. Silent lateral movement. Once an agent has the user’s cookies, it can impersonate them across any connected SaaS property, blending into legitimate automation logs.

These aren’t theoretical edge cases; they are inherent consequences of giving an LLM permission to act rather than merely answer, which acts a root cause for the outlined exploit above. Once that line is crossed, every byte of input (visible or hidden) becomes potential initial access payload.

To be sure, open source visibility and red team disclosure accelerate fixes - Browser Use shipped a patch within days of our CVE report. And defenders can already sandbox agents, sanitize inputs, and restrict tool scopes. But those mitigations are optional add-ons, whereas the threat is systemic. Relying on post-hoc hardening mimics the early browser wars, when security followed functionality, and drive-by downloads became the norm.

Governments are beginning to notice the architectural problem. The NIST AI Risk-Management Framework urges organizations to weigh privacy, safety and societal impact as first-class engineering requirements. Europe’s AI Act introduces transparency, technical-documentation and post-market monitoring duties for providers of general-purpose models rules that will almost certainly cover agent frameworks such as Browser Use.

Across the Atlantic, the U.S. SEC’s 2023 cyber-risk disclosure rule expects public companies to reveal material security incidents quickly and to detail risk-management practices annually. Analysts already advise Fortune 500 boards to treat AI-powered automation as a headline cyber-risk in upcoming 10-K filings. Reuters: “When an autonomous agent leaks credentials, executives will have scant wiggle room to argue that the breach was “immaterial.”

Investors funneling eight-figure sums into agentic start-ups must now reserve an equal share of runway for threat-modeling, formal verification, and continuous adversarial evaluation. Enterprises piloting these tools should require:

Isolation by default. Agents should separate planner, executor and credential oracle into mutually distrustful processes, talking only via signed, size-bounded protobuf messages.

Differential output binding. Borrow from safety-critical engineering: require a human co-signature for any sensitive action.

Continuous red-team pipelines. Make adversarial HTML and jailbreak prompts part of CI/CD. If the model fails a single test, block release.

Societal SBOMs. Beyond software bills of materials, vendors should publish security-impact surfaces: exactly which data, roles and rights an attacker gains if the agent tips. This aligns with the AI-RMF’s call for transparency regarding individual and societal risks.

Regulatory stress tests. Critical-infrastructure deployments should pass third-party red-team exams whose high-level findings are public, mirroring banking stress-tests and reinforcing EU and U.S. disclosure regimes.

The web did not start secure and grow convenient; it started convenient, and we are still paying the security debt. Let us not rehearse that history with autonomous browsing agents. Imagine past cyber incidents multiplied by autonomous agents that work at machine speed and hold persistent credentials for every SaaS tool, CI/CD pipeline, and IoT sensor in an enterprise. The next “invisible div tag” could do more than leak a password: it could rewrite PLC set-points at a water-treatment plant, misroute 911 calls, or bulk-download the pension records of an entire state.

If the next $17 million goes to demo reels instead of hardened boundaries, the 3 a.m. secret you lose might not just embarrass a CTO - it might open the sluice gate to poison supplies, stall fuel deliveries, or crash emergency-dispatch consoles. That risk is no longer theoretical; it is actuarial, regulatory, and, ultimately, personal for every investor, engineer, and policy-maker in the loop.

Security first or failure by default for agentic AI is therefore not a philosophical debate; it is a deadline. Either we front-load the cost of trust now, or we will pay many times over when the first agent-driven breach jumps the gap from the browser to the real world.

We feature the best AI chatbot for business.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

• Stranger Things season 5's multiple release dates have been revealed
• It'll arrive in three parts between late November and New Year's Eve/New Year's Day
• Netflix is hoping it'll be the biggest festive TV hit of 2025

Good news, everyone! Stranger Things season 5's release date has finally been revealed. Unfortunately, you'll have to tweak your 2025 holiday season plans if you want to stream it as soon as it arrives.

We already knew that Stranger Things 5 was set to be released in 2025 and, according to a major online leak, it was suggested that Stranger Things' final season would arrive this November. Well, that turned out to be partly true.

Announced towards the end of Netflix Tudum 2025, the smash hit show's final season will launch on the world's best streaming service in not one, not two, but three parts. That's the first time that Netflix has chosen to release a new series, or the latest season of one of its TV Originals, on three separate dates.

A post shared by Stranger Things Netflix (@strangerthingstv)

A photo posted by on

As the above Instagram post confirms, Stranger Things season 5 volume 1 will air on November 26 at 5pm PT / 8pm ET in the US. That's the first of three US holidays that the incredibly popular Netflix series' final chapter will land on too – indeed, Thanksgiving 2025 in the US will take place on November 27. Clearly, Netflix is hoping volume 1, which comprises four episodes, will be the most-watched TV show over US Thanksgiving weekend.

That's not the only major holiday Netflix is targeting, though. Volume 2 of Stranger Things 5, which contains three episodes, will debut on Christmas Day (aka December 25) at 5pm PT / 8pm ET in the US. Lastly, the final-ever episode (aka volume 3) of Stranger Things will hit the service on New Year's Eve (December 31) in the US at the same time that season 5's other installments are due to be released.

I fully understand why Netflix is dropping new episodes in this way. The streaming titan wants the final season of one of its most successful series to dominate the TV landscape. It makes sense, then, to release the forthcoming season's eight episodes, all of which are movie-length according to Stranger Things star Maya Hawke, at a time when people will have plenty of downtime over the festive season.

The problem I have with this release format, though, is that it's going to turn many people's festive plans *ahem* upside down.

Take me, for instance. I live in the UK and, considering the eight hour time difference between the US' Pacific Time Zone and the UK's, new installments of Stranger Things 5 won't land on the platform until 1am GMT.

That means myself and many other British fans will have a very late night if we stay up to watch new episodes as soon as they arrive. If we don't, we face the prospect of having to avoid major spoilers online or from family/friends who might have seen the latest episodes before us.

The same is true of fans in other European nations, the Middle East, Asia, and countries like Australia and New Zealand.

Stranger Things season 5's finale might air in the US at 5pm PT / 8pm ET on December 31, so American viewers have the chance to stream it before they welcome in 2026. Many of us won't have that opportunity, though. Do we cut short our New Year's Eve plans with family and/or friends to head home and stream it straight away to avoid spoilers? Or do we ring in 2026, stay off social media until we watch it, and then stream one of the best Netflix shows' last-ever episode, potentially with an almighty hangover?

I get that the world's various time zones mean that somebody is going to unhappy about staying up late or getting up early if they want to watch their favorite show's new season ASAP. Nevertheless, season 5's release structure, coupled with the unusual times that new episodes will air – Netflix usually releases new shows and/or seasons at 12am PT – is a, well, strange thing to do. I guess I'll be staying off social media (and the booze!) over the Christmas holidays until I find the time to stream season 5's final four episodes.

• Netflix wants to turn Saturday morning cartoons upside down with a new animated Stranger Things spin-off
• Stranger Things season 5's 12-month shoot yielded 650-plus hours of footage for its eight 'blockbuster movie' episodes
• Marvel reportedly casts Stranger Things star Sadie Sink in Spider-Man 4, but I don't want her to tackle the roles she's rumored to play

• The UK Government is investing in cyber defences and capabilities
• £1 billion investment includes a new Cyber and Electromagnetic Command
• “Digital Targeting Web” looks to bolster cyber defences and national security

The UK Government has announced plans to invest over £1 billion into a new pioneering “Digital Targeting Web” to bolster cyber defences and national security.

Alongside this, a new Cyber and Electromagnetic Command will aim to ”put the UK at the forefront of cyber operations,” with enhanced targeting capabilities and digital defences.

The investments will look to “spearhead battlefield engagements” by applying lessons learnt from Ukraine to the UK’s weapons systems, enabling faster and more accurate battlefield decisions and better connected military weapons systems.

Cybersecurity and defence is a key priority for this administration, with Prime Minister Kier Starmer committing to an increase in defence spending to 2.5% of GDP, “recognising the critical importance of military readiness in an era of heightened global uncertainty.”

In 2024, the UK announced the establishment of a laboratory dedicated to security research, and invited its allies to collaborate to combat the “new AI arms race” - investing millions into improving cybersecurity capabilities.

The new Command wants to give the British military the upper hand in the race for military advantage by degrading command and control, jamming signals to missiles or drones, and intercepting enemy communications, for example.

The Government warns that cyberattacks are threatening the foundations of the economy and daily life, and with critical infrastructure sustaining 13 cyberattacks per second, the dangers are certainly apparent.

“The hard-fought lessons from Putin’s illegal war in Ukraine leave us under no illusions that future conflicts will be won through forces that are better connected, better equipped and innovating faster than their adversaries,” warns Defence Secretary John Healey.

“We will give our Armed Forces the ability to act at speeds never seen before - connecting ships, aircraft, tanks and operators so they can share vital information instantly and strike further and faster.”

• Take a look at our picks for the best malware removal software around
• Check out our choice for AI tools
• Can the UK be a big data leader in the military?