A newly disclosed Agentjacking attack class can silently weaponize AI coding agents against the very developers who rely on them, requiring no phishing, no server compromise, and no user interaction beyond a developer’s normal workflow of asking their AI assistant to investigate errors.
Tenet Security’s Threat Labs developed and validated the technique, demonstrating how a single injected error event authenticated using nothing more than a public credential found in any website’s JavaScript source code can hijack AI coding agents into executing arbitrary code on developer machines.
The attack exploits a critical architectural flaw at the intersection of Sentry’s event ingestion system, which accepts arbitrary payloads from anyone holding the Data Source Name (DSN), and the Sentry MCP server, which returns that data to AI agents as trusted system output.
Sentry intentionally documents as safe to embed in frontend JavaScript, making it discoverable via JavaScript source inspection, Censys searches, or GitHub code search, without requiring a breach.
Agentjacking Attack Hijacks AI Coding Agents
Once an attacker obtains the DSN, they POST a crafted error event to Sentry’s ingest endpoint, which accepts it with an HTTP 200 response and processes it identically to a legitimate application error.
The injected payload uses carefully formatted markdown headings, code blocks, and fake ## Resolution sections that renders as content structurally identical to Sentry’s own MCP system templates.
When a developer asks their AI coding agent to fix unresolved Sentry issues, the agent queries Sentry via MCP, receives the injected event, and is unable to distinguish it from legitimate guidance, executes the attacker-controlled npx command with the developer’s full system privileges.
The impact is severe: environment variables including AWS keys, GitHub tokens, Sentry auth tokens, git credentials, private repository URLs, and developer identity are silently exfiltrated to the attacker’s server.
To prove the attack was not theoretical, Tenet Security validated it end-to-end against real-world organizations in controlled conditions. Researchers identified 2,388 organizations with exposed and injectable DSNs, 71 ranked in the Tranco top one million.
Across controlled validation waves, over 100 organizations had AI coding agents act on injected errors, including Claude Code, Cursor, and Codex, yielding an 85% exploitation success rate.
Confirmed victims spanned a Fortune 500 enterprise with a $250B+ parent company, a $2B+ hosting infrastructure provider, scientific computing firms, and early-stage startups across six continents.
Notably, even a cloud security vendor appeared among the exposed organizations, underscoring that neither a security budget nor posture alone predicts safety.
Agentjacking bypasses EDR, WAF, IAM controls, VPN, Cloudflare, and firewalls entirely because every action in the attack chain is technically authorized.
Tenet describes this as the Authorized Intent Chain: the prevailing security model is built to catch unauthorized behavior, and this attack contains none.
Prompt-layer defenses proved equally ineffective. Agents executed attacker payloads even when system prompts explicitly instructed them to disregard untrusted data, confirming the weakness is inherent to how current models process MCP tool output, not a misconfiguration that can be patched away.
Tenet disclosed the findings to Sentry on June 3, 2026. Sentry acknowledged the issue the same day but declined to address it at the root, describing the attack class as “technically not defensible” at the platform level.
The risk extends well beyond Sentry, any MCP tool integration returning externally influenced data to an AI agent creates the same vulnerability class, and the attack surface grows with every new tool that joins the AI agent ecosystem.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
