Agentjacking Attack Exploits AI Coding Agents via Error Reports

Security researchers have uncovered a novel attack vector that weaponizes AI coding assistants against the developers who rely on them. The technique exploits the trust relationship between error-monitoring platforms and AI agents to achieve code execution on developer machines.

How the attack works

Dubbed Agentjacking by Tenet Security, the attack leverages Sentry, a widely used open-source error-tracking platform, as an entry point. The vulnerability stems from an architectural weakness where Sentry accepts error reports from anyone possessing a Data Source Name (DSN)—a public, write-only credential commonly embedded in websites and applications.

Attackers craft malicious error events containing specially formatted markdown that mimics legitimate Sentry diagnostic output. When developers instruct their AI coding agents to resolve Sentry issues, the agents retrieve these poisoned events through the Model Context Protocol (MCP) and interpret the embedded instructions as trusted system guidance.

Because AI agents cannot distinguish between genuine application crashes and attacker-injected events, they execute the malicious commands with full developer privileges. The attack chain requires no phishing, no infrastructure compromise, and leaves no traditional security footprint.

Scope and effectiveness

Tenet Security identified at least 2,388 organizations with exposed, injectable DSNs. In controlled testing across more than 100 organizations, researchers achieved an 85% exploitation success rate against popular AI coding assistants including Claude Code and Cursor.

The attack can exfiltrate sensitive data such as environment variables, Git credentials, private repository URLs, and developer identities. Critically, it bypasses endpoint detection and response systems, web application firewalls, identity and access management controls, VPNs, and perimeter defenses because every action appears authorized.

Vendor response

Sentry acknowledged the issue but declined to implement a comprehensive fix, characterizing the problem as "technically not defensible." The company reportedly activated a global content filter targeting a specific payload string, though such signature-based defenses are typically easy to circumvent.

Why it matters

Agentjacking represents a fundamental shift in enterprise attack surfaces. As organizations accelerate AI agent adoption to boost developer productivity, they inadvertently create new pathways for exploitation that traditional security architectures were not designed to address. The attack demonstrates that AI agents—positioned as productivity multipliers—can become force multipliers for adversaries when they blindly trust external data sources. Organizations deploying AI coding assistants must reassess their threat models to account for agents as both assets and liabilities.

The findings were first reported by Tenet Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran.