Agentjacking attack tricks AI coding agents into executing malicious code via fake bug reports

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines. Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report crafted using Sentry, an open-source error-tracking and performance-monitoring platform. "The attack exploits a critical architectural flaw at the intersection of Sentry's event ingestion (which accepts arbitrary payloads from anyone with the DSN) and the Sentry MCP server (which returns this data to AI agents as trusted system output)," security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran said. The idea is to inject crafted input into Sentry error events, which are then interpreted by coding agents like Claude Code and Cursor as legitimate diagnostic resolution steps and run attacker-controlled code. A successful attack of this kind can expose sensitive data, including environment variables, Git credentials, private repository URLs, and developer identities, without having to rely on methods like phishing or prior server compromise. The problem is rooted in the implicit trust associated with connecting to external services using Model Context Protocol (MCP). Because an AI agent is unable to distinguish between an error event generated by a real application crash or injected by an attacker, it creates a pathway to arbitrary code execution when the agent processes the response. The attack chain devised by Tenet is as follows - * An attacker finds a target's Sentry Data Source Name (DSN), a public, write-only credential that's embedded in websites. * The attacker sends a malicious error event to Sentry's ingest endpoint via a POST request using the DSN. * The injected event contains "carefully formatted markdown" in the message field and context key names. When the Sentry MCP server returns this event to an AI agent, it is rendered as structured content visually identical to the Sentry's system template. * When a developer asks their AI coding agent to "fix unresolved Sentry issues" (or a similar prompt), the agent queries Sentry via MCP and receives the malicious event. * The agent executes malicious code, which runs with the developer's full privileges. "The attacker never touches the victim's infrastructure," the researchers explained. "The malicious instruction arrives disguised as a legitimate 'Resolution' inside an ordinary error. When a developer asks their AI agent to fix the Sentry issue, the agent reads the attacker's command as trusted guidance and runs it - with the developer's own privileges, on the developer's own machine." Agentjacking stands out because it targets the AI agent a developer trusts and uses a Sentry DSN as a starting point. In addition, the markdown injection is rendered such that the agent cannot distinguish it from legitimate Sentry guidance. The AI cybersecurity company said it found at least 2,388 organizations exposed with valid injectable DSNs, and that it tested the attack in a controlled manner against over 100 organizations, achieving an 85% exploitation success rate against injected errors across some of the most widely used AI coding assistants. Sentry, for its part, has acknowledged the issue, but opted not to fix it, stating it's "technically not defensible." However, the company is said to have activated a global content filter that blocks a "specific payload string." "As enterprises race to deploy AI coding agents, this research proves the agents themselves are now the attack surface - turned against the developers who trust them, using nothing but data those organizations publish about themselves," Tenet said. "The attack bypasses EDR, WAF, IAM, VPN, Cloudflare, and firewalls - because there is nothing malicious to detect. Every action in the chain is authorized."

Agentjacking: a fake bug report hijacks AI coding agents

Researchers turned a public Sentry credential into remote code execution on developer machines. The agents ran the attacker's code even when told to ignore it, and EDR, firewalls and prompts all missed it. Security researchers have found a way to hijack AI coding agents with nothing but a fake bug report. They call it Agentjacking. It needs no malware, no stolen password, and no breach of the target. The attack, disclosed by Tenet Security, turns the coding agent into the weapon. When a developer asks the agent to fix an error, the agent runs the attacker's code instead, with the developer's own privileges, on the developer's own machine. How the Agentjacking attack works It starts with Sentry, a popular error-tracking tool. Sentry lets any app send it error reports using a public key called a DSN, which sits openly in website code by design. An attacker POSTs a fake error to that endpoint. No password is needed. The report hides a "Resolution" section with a command, formatted to look exactly like Sentry's own advice. Coding agents read Sentry through the Model Context Protocol, the standard that lets agents pull in outside tools. The agent treats the response as trusted. It cannot tell a real crash from a planted one. So when the developer says "fix the unresolved Sentry issues," the agent runs the attacker's command. The agent is the attack surface now AI coding agents have gone from autocomplete to running terminals, and the market is booming; one vibe-coding startup recently hit $500m in revenue. That power is the problem. The attack worked across the big agents. Tenet says it hijacked Claude Code, Cursor, and Codex, with an 85 per cent success rate in controlled tests. It found 2,388 organisations exposed, from a $250bn enterprise down to solo developers, and even a cloud-security vendor. The payoff for an attacker is severe. One injected error can reach environment variables, AWS keys, GitHub tokens, git credentials, and private repository URLs. From there, the path runs to CI/CD pipelines and cloud infrastructure. The scariest part is what does not catch it. The attack slips past EDR, firewalls, IAM, and VPNs, because nothing in the chain is unauthorised. Tenet calls it the "Authorised Intent Chain." Prompts do not help either. The agents ran the code even when told to ignore untrusted data. Nobody wants to own the fix Tenet told Sentry on 3 June. Sentry acknowledged the problem but declined to fix it at the root, calling it "technically not defensible." It added a filter to block one specific payload string, which treats the symptom, not the cause. That standoff is the real story. The flaw is not in Sentry alone. It is in how agents handle any outside data, so the same risk runs through support tickets, GitHub issues, and documentation. A separate test recently phished an AI email agent into leaking AWS keys. The lesson lands as enterprises rush to put agents into production. An agent wired into your tools is also a new way in. As Tenet puts it, the only place left to stop this is the moment the agent decides to act.