A newly uncovered class of attack, referred to as “Agentjacking,” has emerged, capable of weaponizing AI coding agents against their own developers. Unlike traditional cyber attacks that often involve phishing, server compromises, or malicious user interactions, this attack operates quietly within the parameters of a developer’s workflow. The attack takes root when developers engage their AI assistants to investigate and rectify coding errors.
The technique was developed and validated by researchers at Tenet Security’s Threat Labs. They revealed that an attacker can hijack AI coding agents simply by injecting a single erroneous event using a public credential easily retrievable from a website’s JavaScript source code. This method allows hackers to gain control over developer machines and execute potentially harmful code.
At the core of this attack is a significant architectural vulnerability within Sentry’s event ingestion system. This system accepts arbitrary error payloads from anyone who has access to the Data Source Name (DSN). The system, in turn, communicates this data back to AI agents, presenting it as trusted system output. Sentry has intentionally documented this process to create the perception of safety, encouraging developers to embed it within frontend JavaScript. Consequently, the DSN becomes discoverable through routine JavaScript source inspections, Censys searches, or on platforms like GitHub, bypassing the necessity for any actual security breach.
When an attacker gains access to the DSN, they can POST a crafted error event to Sentry’s ingestion endpoint, which responds positively with an HTTP 200 status code. This response indicates that the event is processed similarly to a legitimate application error. The payload utilized by the attacker is skillfully designed, featuring markdown headers, code blocks, and fabricated “## Resolution” sections that mimic Sentry’s own templates. This clever disguise makes it difficult for developers to discern the injected error from legitimate ones.
Upon querying Sentry for unresolved issues, the AI coding agent receives this crafted error. Unable to differentiate between the genuine information and the malicious injection, the AI executes the attacker’s commandeered commands, operating with the full privileges of the developer’s system. This leads to severe security implications, as critical environment variables, including AWS keys, GitHub tokens, Sentry authentication tokens, and Git credentials, are stealthily exfiltrated to the attacker’s server.
Tenet Security conducted rigorous testing to validate the realism of this attack by examining various real-world organizations under controlled conditions. They discovered that 2,388 organizations had exposed and injectable DSNs, including 71 that ranked among the top million on Tranco—a website that rates web services based on performance and reliability. More alarmingly, more than 100 organizations had their AI coding agents manipulated into responding to these salted errors, including prominent tools like Claude Code, Cursor, and Codex. The findings revealed an astonishing 85% success rate in exploitation.
Confirmed victims of this attack span a diverse range of organizations, including a Fortune 500 enterprise with a parent company valued over $250 billion, a hosting infrastructure provider worth more than $2 billion, scientific computing firms, and early-stage startups distributed across six continents. The portfolio of exposed entities even included cloud security vendors, illustrating that merely having a robust security budget or posture does not guarantee immunity from such sophisticated threats.
The nature of the Agentjacking attack allows it to bypass a wide array of defenses, including Endpoint Detection and Response (EDR) systems, Web Application Firewalls (WAF), Identity and Access Management (IAM) controls, and traditional firewalls. Each action taken during the attack process is technically authorized, emphasizing the need for a re-evaluation of security models that primarily focus on catching unauthorized behaviors.
Tenet Security introduced the term “Authorized Intent Chain” to describe the way this attack operates. Current security frameworks tend to overlook authorized activities, leading to gaps that attackers can exploit. This exploitation is compounded by recent tests revealing that prompt-layer defenses within coding agents were ineffective; agents proceeded with executing harmful payloads even when explicitly told to disregard untrusted data.
On June 3, 2026, Tenet disclosed their findings to Sentry, who acknowledged the vulnerability on the same day but stated it would not address the fundamental issue, declaring the attack class “technically not defensible” at the platform level. This decision highlights an alarming trend: the risks associated with Agentjacking extend far beyond Sentry, revealing a broader vulnerability for any Multi-Channel Processing (MCP) tool integration that feeds externally influenced data into AI agents. As the AI ecosystem continues to grow with the integration of new tools, the potential attack surface expands, heightening the urgency for robust defense strategies against such insidious threats.