- Researchers at Tenet Security have uncovered a new attack class called “Agentjacking” that tricks AI coding agents into executing malicious code.
- The exploit uses a fake error report sent to the Sentry platform, which AI agents then interpret and act upon as legitimate troubleshooting steps.
- The attack can expose sensitive developer data like environment variables and Git credentials without needing phishing or server compromise.
- Sentry acknowledged the flaw but deemed it “technically not defensible,” opting for a limited content filter instead of a full fix.
Cybersecurity researchers from Tenet Security revealed in June 2026 a novel attack vector that manipulates trusted AI coding assistants, a technique they’ve dubbed Agentjacking. This method allows an attacker to run arbitrary code directly on a developer’s machine by exploiting the integration between AI agents and the Sentry error-monitoring service.
The attack, as detailed by the researchers, begins when an attacker obtains a target’s publicly available Sentry Data Source Name (DSN). Consequently, they can send a maliciously crafted error event to Sentry’s ingest endpoint. This injected payload contains markdown formatted to mimic legitimate Sentry system output.
When a developer prompts their AI agent to fix unresolved issues, the agent retrieves the malicious event via the Model Context Protocol. However, the agent cannot distinguish the fake error from a real one. The AI coding assistant then executes the attacker’s code with the developer’s full system privileges.
This chain results in what the researchers call a “critical architectural flaw.” Meanwhile, the attacker never needs to breach the victim’s infrastructure directly. “The malicious instruction arrives disguised as a legitimate ‘Resolution’ inside an ordinary error,” the researchers explained.
Tenet Security tested the attack in a controlled environment, achieving an 85% success rate. They found at least 2,388 organizations with injectable DSNs. Sentry has activated a global filter for a specific payload string but maintains a broader fix is not feasible.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
