Cybersecurity experts have uncovered a novel type of cyber attack known as Agentjacking, which targets artificial intelligence (AI) coding agents to run unauthorized code on developers’ systems. This attack was identified by Tenet Security and leverages manipulated error reports generated through Sentry, an open-source error-tracking tool.
Understanding the Agentjacking Mechanism
The attack exploits a crucial flaw in the interaction between Sentry’s event ingestion system, which allows arbitrary data submissions, and the Sentry MCP server, which shares these inputs with AI agents as reliable data. Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran explained that this manipulation leads AI coding agents, such as Claude Code and Cursor, to execute malicious code.
By embedding crafted inputs in Sentry error events, attackers can trick these AI agents into considering the fake data as valid diagnostic instructions, leading to unauthorized code execution. This method can compromise sensitive information, including Git credentials and private repository URLs, without traditional phishing or server attacks.
Details of the Attack Chain
The attack initiates when an attacker discovers a target’s Sentry Data Source Name (DSN), a publicly accessible credential. The attacker then sends a malicious error event to Sentry’s ingestion endpoint, incorporating “carefully formatted markdown” to mimic legitimate system messages. When a developer instructs their AI coding agent to resolve Sentry issues, the malicious event is processed as a genuine resolution, executing harmful code with the developer’s access rights.
This attack is particularly insidious because it operates without the attacker ever compromising the victim’s infrastructure directly. The AI coding agent, trusted by developers for problem-solving, becomes a vector for executing the attacker’s commands.
Wide-Ranging Impact and Response
Agentjacking is significant due to its reliance on the trusted AI agent and Sentry DSN for propagation. Tenet Security’s research indicates that at least 2,388 organizations are vulnerable to this type of attack, with an 85% success rate in controlled tests involving popular AI coding tools.
Sentry has acknowledged the vulnerability but has chosen not to implement a direct fix, labeling it “technically not defensible.” Instead, they have activated a global content filter to block specific malicious payloads. Despite these measures, the attack remains a concern as it bypasses many traditional security defenses like EDR, WAF, and firewalls.
Tenet Security emphasizes the growing risk as enterprises rapidly deploy AI coding agents, highlighting that these tools have become a new attack surface. The attack illustrates how data published by organizations can be weaponized, underscoring the need for heightened vigilance and improved security measures in AI systems.
