New “Agentjacking” attack that hijacks AI coding agents and silently executes attacker-controlled code on developer machines using nothing more than a single injected Sentry error.
The technique turns trusted AI assistants like Claude Code and Cursor into an execution layer for malicious commands, without phishing, malware delivery, or any breach of the victim’s infrastructure.
In this attack, the entry point is Sentry’s public Data Source Name (DSN). This write-only credential is routinely embedded in frontend JavaScript and indexed across the web.
Tenet’s researchers used passive reconnaissance methods, including JavaScript inspection, Censys searches, CDN loader analysis, and code search, to identify 2,388 organizations with injectable DSNs, including 71 in the Tranco top-1M.
With only the DSN, an attacker can submit arbitrary error events to Sentry’s ingest API, controlling fields such as messages, tags, context, extra data, breadcrumbs, user information, stack traces, and fingerprints.
Sentry accepts these forged events as legitimate application errors, allowing attackers to inject fully controlled content into monitoring workflows.
The core architectural flaw sits at the junction of Sentry’s event ingestion pipeline and its Model Context Protocol (MCP) integration, which feeds error data back to AI coding agents as trusted system output.
Agentjacking Attack Hijacks AI Coding Agents
Attackers can embed carefully crafted Markdown into injected errors, particularly within message and context fields, to influence how content is displayed to AI agents.
The content can appear as a legitimate Sentry “Resolution” section with headings, code blocks, and tables, making it indistinguishable from genuine remediation guidance.
When a developer asks their agent to “fix unresolved Sentry issues,” the AI queries Sentry via MCP, retrieves the crafted event, and interprets the attacker’s command as legitimate diagnostic steps, not as untrusted input.
Tenet’s proof-of-concept payload directed agents to execute an npx command that pulled a controlled validation package from the public npm registry and ran it with the developer’s full local privileges.
In their controlled campaign, this package confirmed the presence of sensitive material by probing environment variables, checking the sizes of configuration files such as ~/.aws/config and ~/.docker/config.json, and inspecting network interfaces.
Then sending scoped exposure metadata tightly back to a Tenet beacon server under explicit “ResponsibleDisclosure [SECURITY SCAN]” headers.
Tenet reports more than 100 confirmed cases of real-agent execution across a Fortune 500 cloud enterprise, a multi-billion-dollar hosting provider, scientific software firms, startups, and individual developers.
The attacks achieved an overall success rate of about 85% across leading AI coding agents. What makes Agentjacking particularly dangerous is that every step in the chain is authorized and looks benign to traditional defenses.
Sentry is used as designed, DSNs are public by policy, the npm package is fetched over standard channels, and the AI agent executes commands as part of its normal assistance workflow.
Endpoint detection, WAFs, IAM policies, and firewalls detect no obvious policy violations because the observable behavior matches a developer-approved tool running approved commands on a trusted observability platform.
Tenet describes this as an “Authorized Intent Chain,” arguing that current security models, which focus on blocking unauthorized actions or malicious binaries, lack effective visibility into attacks that operate solely through trusted context and legitimate tool output.
The research also underscores that this is not a single-vendor bug but a systemic AI-agent problem.
Any MCP integration that returns externally influenced data to agents carries a similar risk, as the data may contain hidden instructions controlled by attackers.
Current AI models cannot reliably distinguish descriptive data from embedded instructions, especially when those instructions appear in seemingly trusted logs, metrics, or error messages.
Tenet disclosed its findings to Sentry on June 3, 2026; Sentry acknowledged the issue and introduced a global content filter for a specific payload string.
Reportedly characterized the underlying class of attack as “not technically defensible” at the ingestion layer, instead pointing to model-side middleware as a mitigation.
For defenders, the Agentjacking work signals a new era in AI supply chain risk, where the AI agent itself becomes the primary attack surface.
Security teams need to reassess which tools their AI agents interact with and whether those tools accept untrusted or anonymous input.
What runtime controls are in place to prevent injected content from automatically translating into code execution on developer endpoints.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
