New 'Agentjacking' Attack Technique Hijacks AI Coding Agents via Sentry Error Events
Tenet Security researchers have disclosed 'agentjacking,' a novel attack that exploits AI coding agents' trust in Sentry error data to execute arbitrary code on developer machines.
Tenet Security researchers have disclosed a new class of attack called 'agentjacking' that targets AI coding agents by exploiting their implicit trust in data from the Sentry application performance monitoring tool. The technique allows attackers to inject malicious commands into Sentry error events, which AI agents then read and execute as if they were legitimate remediation guidance. This poses a significant risk to developers and organizations relying on AI-assisted coding tools, as it could lead to unauthorized code execution and supply-chain compromises.
The attack works by exploiting Sentry's Data Source Name (DSN), a public, write-only credential that Sentry documents as safe to embed in frontend JavaScript. An attacker can find a target's Sentry DSN and send a malicious error event to Sentry's ingest endpoint via a simple POST request, requiring no authentication beyond the DSN. The injected event contains carefully formatted markdown in the message field and context key names, which, when returned to an AI agent via the Sentry MCP server, is rendered as structured content visually identical to Sentry's own system template.
When a developer asks their AI coding agent to 'fix unresolved Sentry issues' or similar, the agent queries Sentry via MCP and receives the malicious event. Unable to distinguish it from legitimate guidance, the agent executes the code with the developer's full privileges. Tenet Security explained that 'the danger lies in this implicit trust. When an AI agent queries Sentry for unresolved errors, it receives the response and acts on it – just as a developer would. But unlike a developer, the agent cannot verify whether an error event was generated by a real application crash or injected by an attacker.'
The researchers tested their theory by confirming exploitability against over 100 real-world targets, achieving an 85% success rate across the most popular agents on the market, including Claude Code, Cursor, and Codex. They also found at least 2,388 organizations exposed with valid injectable DSNs. A single malicious instruction could be crafted to steal CI/CD pipeline credentials, access private source code repositories, compromise cloud infrastructure, and establish persistent access.
The attack bypasses existing security tools like EDR and web app firewalls because there is nothing malicious to detect. Agents executed the payload even when prompted to ignore untrusted data. Tenet noted that agentjacking is particularly dangerous because no phishing is required, and Sentry's DSN is intentionally public and embedded in frontend JavaScript. Once a payload is crafted, it could be injected into thousands of projects simultaneously.
'While AI coding agents are transforming software development, their implicit trust in MCP tool responses creates a critical new attack surface,' the report concluded. 'The convenience of an AI assistant connected to your observability platform comes with the risk of that assistant being weaponized against you.' Tenet urged security leaders to evaluate which tools their AI agents connect to, whether those tools return untrusted data, and what controls exist to prevent injected data from triggering code execution.
This disclosure follows a series of recent findings highlighting the security risks of AI coding agents, including vulnerabilities in Anthropic's Claude Code GitHub Action and the Cline Kanban flaw that allowed websites to hijack AI coding agents. The agentjacking technique underscores the growing need for security measures that address the unique attack surface introduced by AI agents' ability to autonomously interact with external tools and data sources.