Agentjacking: a fraudulent bug report takes control of AI coding agents.

      Security researchers have discovered a method to exploit AI coding agents using just a false bug report, a tactic they refer to as Agentjacking. This approach requires neither malware, nor stolen passwords, nor any breach of the target system.

      Disclosed by Tenet Security, this attack utilizes the coding agent as a weapon. When a developer instructs the agent to correct an error, the agent executes the attacker's code instead, utilizing the developer's own permissions on their machine.

      How the Agentjacking attack functions

      The attack begins with Sentry, a widely-used error-tracking tool. Sentry allows any application to send error reports via a public key known as a DSN, which is intentionally exposed in the website’s source code.

      An attacker can send a false error report to that endpoint without needing a password. The report conceals a “Resolution” section containing a command, designed to resemble Sentry’s own recommendations.

      Coding agents access Sentry through the Model Context Protocol, which enables agents to incorporate external tools. The agent considers the response to be trustworthy and cannot differentiate between a genuine error and a fabricated one. Thus, when a developer requests to "fix the unresolved Sentry issues," the agent executes the command from the attacker.

      The agent becomes the attack surface

      AI coding agents have evolved from simple autocompletion to operating terminals, leading to a flourishing market; one innovative coding startup recently achieved $500 million in revenue. This capability presents a significant challenge.

      The attack was effective across major coding agents. Tenet reports successfully hijacking Claude Code, Cursor, and Codex with an 85 percent success rate in controlled experiments. They discovered 2,388 organizations vulnerable, ranging from a $250 billion enterprise to individual developers, including a cloud-security provider.

      The risk for an attacker is substantial. A single injected error can access environment variables, AWS keys, GitHub tokens, git credentials, and private repository URLs. This can lead directly to CI/CD pipelines and cloud infrastructure.

      The most alarming aspect is what goes undetected. The attack evades EDR systems, firewalls, IAM, and VPNs, as nothing in the process is deemed unauthorized. Tenet has termed this the “Authorized Intent Chain.” Additionally, prompts do not prevent the agents from executing the code even when instructed to disregard untrusted data.

      No one wants to take responsibility for a solution

      Tenet informed Sentry on June 3. Sentry recognized the issue but declined to address it fundamentally, stating it was “technically not defensible.” Instead, they implemented a filter to block one specific payload string, which addresses the symptom rather than the underlying cause.

      This impasse is the critical point. The flaw is not solely with Sentry; it lies in how agents manage any external data, meaning the same risk applies to support tickets, GitHub issues, and documentation. A separate experiment recently succeeded in phishing an AI email agent into disclosing AWS keys.

      The takeaway is significant as companies hurriedly integrate agents into their operations. An agent that is connected to your tools also presents a new entry point for attacks. As Tenet notes, the only point left to intercept this is right before the agent decides to act.