A newly disclosed Agentjacking assault class can silently weaponize AI coding brokers in opposition to the very builders who depend on them, requiring no phishing, no server compromise, and no consumer interplay past a developer’s regular workflow of asking their AI assistant to analyze errors.
Tenet Safety’s Risk Labs developed and validated the approach, demonstrating how a single injected error occasion authenticated utilizing nothing greater than a public credential present in any web site’s JavaScript supply code can hijack AI coding brokers into executing arbitrary code on developer machines.
The assault exploits a crucial architectural flaw on the intersection of Sentry’s occasion ingestion system, which accepts arbitrary payloads from anybody holding the Knowledge Supply Title (DSN), and the Sentry MCP server, which returns that information to AI brokers as trusted system output.
Sentry deliberately paperwork as secure to embed in frontend JavaScript, making it discoverable by way of JavaScript supply inspection, Censys searches, or GitHub code search, with out requiring a breach.
Agentjacking Assault Hijacks AI Coding Brokers
As soon as an attacker obtains the DSN, they POST a crafted error occasion to Sentry’s ingest endpoint, which accepts it with an HTTP 200 response and processes it identically to a official software error.
The injected payload makes use of fastidiously formatted markdown headings, code blocks, and pretend ## Decision sections that renders as content material structurally an identical to Sentry’s personal MCP system templates.
When a developer asks their AI coding agent to repair unresolved Sentry points, the agent queries Sentry by way of MCP, receives the injected occasion, and is unable to differentiate it from official steerage, executes the attacker-controlled npx command with the developer’s full system privileges.
The impression is extreme: surroundings variables together with AWS keys, GitHub tokens, Sentry auth tokens, git credentials, non-public repository URLs, and developer id are silently exfiltrated to the attacker’s server.
To show the assault was not theoretical, Tenet Safety validated it end-to-end in opposition to real-world organizations in managed situations. Researchers recognized 2,388 organizations with uncovered and injectable DSNs, 71 ranked within the Tranco high a million.
Throughout managed validation waves, over 100 organizations had AI coding brokers act on injected errors, together with Claude Code, Cursor, and Codex, yielding an 85% exploitation success charge.
Confirmed victims spanned a Fortune 500 enterprise with a $250B+ mother or father firm, a $2B+ internet hosting infrastructure supplier, scientific computing corporations, and early-stage startups throughout six continents.
Notably, even a cloud safety vendor appeared among the many uncovered organizations, underscoring that neither a safety funds nor posture alone predicts security.
Agentjacking bypasses EDR, WAF, IAM controls, VPN, Cloudflare, and firewalls totally as a result of each motion within the assault chain is technically licensed.
Tenet describes this because the Approved Intent Chain: the prevailing safety mannequin is constructed to catch unauthorized habits, and this assault accommodates none.
Immediate-layer defenses proved equally ineffective. Brokers executed attacker payloads even when system prompts explicitly instructed them to ignore untrusted information, confirming the weak spot is inherent to how present fashions course of MCP software output, not a misconfiguration that may be patched away.
Tenet disclosed the findings to Sentry on June 3, 2026. Sentry acknowledged the problem the identical day however declined to handle it on the root, describing the assault class as “technically not defensible” on the platform degree.
The danger extends effectively past Sentry, any MCP software integration returning externally influenced information to an AI agent creates the identical vulnerability class, and the assault floor grows with each new software that joins the AI agent ecosystem.
Comply with us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
