A recent discovery by cybersecurity researchers has unveiled a novel attack method known as Agentjacking, which can deceive artificial intelligence (AI) coding agents into executing arbitrary code on developer machines. This technique, identified by Tenet Security, leverages a vulnerability in the Sentry platform, an open-source tool used for error tracking and performance monitoring.
Understanding the Attack Mechanism
The Agentjacking attack exploits a significant architectural flaw involving Sentry’s event ingestion system, which accepts arbitrary payloads from any user possessing the Data Source Name (DSN). According to researchers Ron Bobrov, Barak Sternberg, and Nevo Poran, the flaw lies in the interaction between Sentry’s event ingestion and the Model Context Protocol (MCP) server, which returns data to AI agents as trusted output.
Execution of Malicious Code
In this attack, an adversary can inject crafted input into Sentry error events. These events are then interpreted by AI coding agents, such as Claude Code and Cursor, as legitimate resolutions to diagnostic issues. Consequently, when a developer prompts their AI agent to address unresolved Sentry issues, the agent queries Sentry and inadvertently executes the attacker’s code, which operates with the developer’s full privileges.
Impact and Scope
The implications of a successful Agentjacking attack are significant, as it can expose sensitive information, including environment variables, Git credentials, private repository URLs, and developer identities. Notably, the researchers found that at least 2,388 organizations have valid injectable DSNs, and testing against over 100 organizations yielded an 85% success rate in exploiting injected errors.
Response from Sentry
Sentry has acknowledged the issue but has chosen not to implement a fix, citing that it is “technically not defensible.” Instead, the company has activated a global content filter to block a specific payload string. As enterprises increasingly adopt AI coding agents, this research highlights the potential vulnerabilities inherent in these systems, which can be turned against developers using publicly available data.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
