Tenet Threat Labs has demonstrated Agentjacking, an attack technique that shows how fake Sentry error reports could trick AI coding agents into running commands on a developer’s machine. The technique abuses the way AI coding assistants process untrusted error logs from Sentry, a popular application monitoring platform.
The Attack Method
According to Tenet’s blog post, Agentjacking does not require stolen passwords or direct access to a company’s internal network. In the demonstrated attack path, an attacker could inspect a website’s public source code to find its Sentry Data Source Name (DSN), a project identifier that is often exposed by design so applications can send error reports to Sentry.
With the exposed DSN, Tenet showed that an attacker could submit a fake error report to Sentry. The report used Markdown injection to disguise attacker-controlled text inside the issue content. If a developer then asked an AI coding agent to investigate the issue through a Sentry MCP server, the agent could read the fake report as context and follow the injected instructions.
The issue is a form of instruction injection. Tenet’s proof of concept showed that an AI coding agent could treat attacker-supplied issue text as a trusted instruction. In the test, a fake “Resolution” section directed the agent to run npx @tenet-controlled-validation-package --diagnose, a controlled npm package used by the researchers for validation.
In the proof of concept, the command downloaded and ran Tenet’s controlled npm package from the public registry. The researchers said this demonstrated a path to remote code execution, since a malicious package could run with the developer’s local account permissions.
100+ Companies’ AI Agents Ran Test Code
During a validation period that ended on June 17, 2026, Tenet researchers identified 2,388 organizations with exposed Sentry DSNs. The researchers said their Agentjacking technique worked in tested environments using popular AI coding tools, including Claude Code, Cursor, and OpenAI Codex, across Windows, macOS, and automated cloud pipelines.
Tenet also warned that traditional security tools, including endpoint detection and response systems and firewalls, may struggle to catch this type of attack because the activity appears to come from trusted tools and authorized user actions.
“Every action in the chain is authorized,” Tenet wrote. “Tenet calls this the Authorized Intent Chain: the prevailing security model is built to catch unauthorized behavior, and this attack contains none.”
Tenet reported that AI assistants at more than 100 global organizations ran its controlled validation code, including one Fortune 100 technology company valued at about $250 billion. The researchers said the results showed how Agentjacking could be abused to expose developer secrets, such as AWS keys, GitHub tokens, and SSH keys, if used with a malicious package.
Timeline and Mitigation
Tenet Threat Labs said it reported the issue to Sentry on June 3, 2026. According to Tenet, Sentry responded by adding a content filter to block the specific validation text used in the proof of concept. However, Tenet said a broader platform-level fix is difficult because the root issue involves AI agents treating untrusted tool output as instructions.
To help developers reduce exposure, Tenet released a free tool called Agent-JackStop, designed to harden Cursor and Claude Code against instruction injection from untrusted data sources.
(Photo by Daniil Komov on Unsplash)
