Agentjacking — When Your AI Coding Agent Runs Attacker Code
New attack name. Same old problem. Just with AI this time.
Researchers call it Agentjacking. Hijacks AI coding agents like Claude Code and Cursor. Runs attacker-controlled code on developer machines.
No phishing. No malware. No breach of your infrastructure.
Just a single injected Sentry error and a developer asking their AI to “fix unresolved issues.”
Every step in the attack chain is authorized. Your AI does exactly what you asked. It just trusts the wrong data. Your WAF sees nothing. Your EDR sleeps. Your IAM says “working as designed.”
How Agentjacking Works — No Magic, Just Bad Design
Sentry DSNs (Data Source Names) are write-only credentials. They’re routinely embedded in frontend JavaScript. Indexed across the web. Public by design.
Anyone with your DSN can submit fake errors to Sentry. Controlled messages. Tags. Context. Stack traces. Everything looks real.
Sentry accepts it. Because that’s what it’s built to do.
Then the developer asks their AI: “Hey Claude, fix the unresolved Sentry issues.”
The AI queries Sentry via MCP (Model Context Protocol). Reads the attacker’s fake error. Sees the “Resolution” section. Executes the command.
That command pulls a package from npm. Runs on the developer’s machine. With full local privileges.
In Tenet’s campaign, that package checked environment variables, AWS config, Docker config, network interfaces. Then sent everything back to an attacker server.
Tenet reports 100+ confirmed executions across a Fortune 500 cloud enterprise, a multi-billion-dollar hosting provider, scientific software firms, startups, and individual developers.
The “Authorized Intent Chain” — Why Defense Fails
Traditional security looks for bad things. Malware. Phishing. Policy violations. Unauthorized access.
Agentjacking has none of that.
- Sentry is used as designed — ingest errors, serve them to tools
- DSNs are public by policy — Sentry tells you to embed them
- The npm package is fetched over standard channels — npm is trusted
- The AI executes commands as part of its normal workflow — that’s its job
Everything is authorized. Everything looks benign. Nothing triggers an alert.
Sentry acknowledged the issue. Added a filter for one specific payload string. Then reportedly said the attack class is “not technically defensible” at the ingestion layer.
Translation: We can’t fix this. The AI has to stop trusting us.
The Real Problem — AI Agents Trust Everything
Current AI models cannot reliably distinguish descriptive data from embedded instructions.
Especially when those instructions appear in “trusted” logs, metrics, or error messages.
Your AI reads your monitoring stack. Your error tracker. Your CRM. Your Slack history. Your internal docs.
If an AI reads it and acts on it, an attacker can control it.
Tenet’s research isn’t a Sentry bug. It’s a systemic AI-agent problem. Any MCP integration that returns externally influenced data carries the same risk.
What This Means for You
If your developers are using AI coding agents hooked into your monitoring stack — that agent is reading attacker-controlled content right now.
You just haven’t been targeted yet.
The 85% success rate isn’t a bug. It’s a feature of how these tools are built. Trust everything. Question nothing. Execute first.
What You Should Check Today
- ✅ What data sources can your AI agents read? (Sentry, DataDog, Grafana, etc.)
- ✅ Do those sources accept anonymous or external input?
- ✅ Can your AI agents execute commands automatically? Or do they require approval?
- ✅ Are you logging what your AI agents read and execute?
- ✅ Have you pentested your MCP integrations?
The Bottom Line
Agentjacking isn’t the last attack. It’s the first of hundreds.
Every MCP integration that feeds external data to an AI agent is a potential injection point. Your logs. Your metrics. Your error trackers. Your CRM notes. Your support tickets.
If an AI reads it and acts on it, an attacker can control it.
The same AI that helps you ship code can be the same AI that breaches your infrastructure.
You don’t need to rip out your AI tools. You need to stop trusting them implicitly.
Agentjacking works because AI agents have no permission boundaries for trust. They read from “trusted” sources and execute what they find.
A pentest finds these blind spots. A retainer keeps finding new ones. Three spots left.
Your AI is reading attacker commands right now.
Full AI Agent Pentest: €3,000 — MCP injection testing, data boundary audit, full red team.
Security Retainer: €1,500/month — continuous validation.
Free 15-min consultation. No Calendly. Just honest answers about what your AI is really reading.
Leave a Reply