Agentjacking attack exploits AI coding tools with fake error reports

Agentjacking, a novel attack technique, has been demonstrated by Tenet Threat Labs, showcasing how fabricated Sentry error reports can manipulate AI coding agents into executing commands on a developer's machine. This method exploits the way AI coding assistants process untrusted error logs from Sentry, a widely used application monitoring platform, based on information published by HackRead.

The Agentjacking attack bypasses the need for stolen credentials or direct network access. Attackers can identify a website's public Sentry Data Source Name (DSN) and submit a malicious error report containing Markdown injection. When an AI coding agent, such as Claude Code or Cursor, investigates this report via a Sentry MCP server, it can interpret attacker-controlled text as instructions. Tenet's proof of concept showed an AI agent executing a command to download and run a malicious npm package, demonstrating a path to remote code execution with the developer's local permissions. Over 2,388 organizations with exposed DSNs were identified, and AI assistants at more than 100 companies, including a Fortune 100 technology firm, ran Tenet's test code.

This attack is difficult for traditional security tools to detect as it appears to be authorized user activity. Tenet reported the vulnerability to Sentry on June 3, 2026, leading to a content filter being added, but a broader fix remains challenging due to the fundamental issue of AI agents treating untrusted output as commands. Tenet has released a tool called Agent-JackStop to help mitigate these risks.

Source: HackRead