Cybersecurity researchers have unveiled a novel attack technique, dubbed “Agentjacking,” that subverts artificial intelligence (AI) coding agents, compelling them to execute arbitrary code on developer workstations. This groundbreaking vulnerability exploits a fundamental architectural weakness at the intersection of error tracking platforms and AI agents, potentially granting attackers unfettered access to sensitive developer information.
The Agentjacking attack leverages Sentry, a popular open-source error-tracking and performance-monitoring platform, to craft deceptive error reports. Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran, from Tenet Security, detailed how these specially crafted inputs are interpreted by AI coding assistants like Claude Code and Cursor as legitimate diagnostic procedures, leading to the execution of attacker-controlled code.
Agentjacking: A New Threat to AI Coding Assistants
The core of the Agentjacking vulnerability lies in the implicit trust AI coding agents place on data received through systems like Sentry’s Model Context Protocol (MCP). AI agents are designed to process and act upon information presented to them, and in this scenario, they cannot discern whether an error report originates from a genuine application failure or is malicious input from an adversary. This inability to distinguish legitimate from fabricated data creates a direct pathway for arbitrary code execution.
The attack unfolds through a meticulously planned chain of events. Initially, an attacker identifies a target organization’s Sentry Data Source Name (DSN). This DSN, often publicly accessible and embedded within websites, acts as a write-only credential. The attacker then leverages this DSN to post a malicious error event to Sentry’s ingestion endpoint via a POST request.
Crucially, this injected error event contains carefully formatted markdown within its message field and context key names. When the Sentry MCP server relays this event data to an AI agent, it is rendered as structured content that appears visually identical to Sentry’s legitimate system templates. Subsequent developer queries, such as asking their AI agent to “fix unresolved Sentry issues,” trigger the agent to query Sentry via MCP. Upon receiving the malicious event, the AI agent proceeds to execute the embedded, attacker-controlled code with the developer’s full privileges on their local machine.
Exploiting Trust and Implicit Permissions
The researchers highlight that the Agentjacking attack bypasses traditional security measures as the attacker never directly interacts with the victim’s infrastructure. The malicious instruction is disguised as a harmless “Resolution” within a routine error report. When a developer instructs their AI assistant to address Sentry issues, the agent interprets the attacker’s command as trusted guidance and executes it, operating under the developer’s own security permissions.
What sets Agentjacking apart is its direct targeting of AI agents that developers have come to rely upon. By using a Sentry DSN as an initial entry point, attackers exploit a common tool in the development workflow. The sophisticated markdown injection further complicates detection, making it virtually impossible for the AI agent to differentiate the malicious payload from genuine Sentry guidance.
Tenet Security reported identifying at least 2,388 organizations with vulnerable, publicly accessible DSNs. In controlled tests against over 100 organizations, the firm achieved an 85% exploitation success rate against injected errors across several widely adopted AI coding assistants. The attack’s efficacy stems from its ability to circumvent established security perimeters, including EDR, WAF, IAM, VPN, Cloudflare, and firewalls, as no inherently malicious signature exists within the data packets themselves; every step in the chain is authorized by legitimate credentials or protocols.
While Sentry has acknowledged the security concern, the company has indicated that a complete fix is “technically not defensible.” However, reports suggest Sentry has implemented a global content filter to block a specific payload string that has been identified as part of the attack vector. As enterprises increasingly integrate AI coding agents into their development pipelines, this research underscores the emergent threat landscape where the AI agents themselves are becoming a significant attack surface, vulnerable to manipulation through data the organizations themselves publicly disclose.
The ongoing adoption of AI coding agents necessitates a re-evaluation of security protocols. Future developments will likely focus on enhancing the AI agents’ ability to authenticate and validate the source and integrity of data they process, particularly from third-party services. The effectiveness of Sentry’s content filter and the subsequent development of new obfuscation techniques by attackers will be critical factors to monitor in the evolving cybersecurity battleground.