Researchers disclose Agentjacking hijacks AI coding agents
Cybersecurity researchers at Tenet Security disclosed a new attack class called "Agentjacking" that tricks AI coding agents into executing attacker-controlled code, according to Tenet's blog post and reporting by The Hacker News and Infosecurity Magazine. The technique injects a maliciously crafted Sentry error event via a target's public, write-only Sentry Data Source Name (DSN), causing agents such as Claude Code, Cursor, and Codex to render and run the embedded instructions when queried over the Model Context Protocol. Tenet tested the attack against 100+ real-world targets, reporting an 85% success rate and identifying 2,388 organizations with valid injectable DSNs, and says a successful chain can expose environment variables, cloud and Git credentials, and CI/CD secrets with no phishing or prior compromise required.
Agentjacking matters to any team running AI coding agents against real telemetry because it demonstrates a working, tested exploit chain, not a theoretical risk: Tenet Security reports an 85% success rate against major agents in real-world testing, and identified thousands of organizations with the exact public credential the attack requires already exposed.
What happened
Tenet Security's Threat Labs disclosed a new attack class called "Agentjacking," which uses crafted Sentry error events to induce AI coding assistants to run attacker-controlled code, according to Tenet's blog post and coverage by The Hacker News and Infosecurity Magazine. The attack requires only a project's Sentry Data Source Name (DSN), a public, write-only credential Sentry documents as safe to embed in frontend JavaScript. Tenet said it confirmed exploitability against more than 100 real-world targets, with an 85% success rate across the most popular agents, including Claude Code, Cursor, and Codex, and identified at least 2,388 organizations with valid, injectable DSNs, including some in the Tranco top-1M sites by web traffic. Tenet reported that a successful chain can recover environment variables, AWS credentials, GitHub and GitLab OAuth tokens, npm registry tokens, Docker configuration, Kubernetes cluster tokens, and CI/CD pipeline secrets, and that the attack requires no phishing and no prior compromise of the victim's infrastructure.
Technical context
Per Tenet's writeup and corroborating reporting, the attack chain works as follows: an attacker locates a target's Sentry DSN, commonly embedded in client-side JavaScript or discoverable via GitHub search; the attacker POSTs a malicious error event to Sentry's ingest endpoint using only the DSN, with no further authentication required; the injected event contains carefully formatted markdown designed to mimic Sentry's own system template; when a developer asks their AI coding agent to fix unresolved Sentry issues, the agent queries Sentry via the Model Context Protocol (MCP) and cannot distinguish the injected event from a legitimate one; the agent then executes the embedded instructions with the developer's local privileges. Tenet said the attack bypasses tools like EDR and web application firewalls because there is no malicious payload to detect, and that agents executed the instructions even when separately prompted to ignore untrusted data.
Security context
Agentjacking exploits the same underlying failure mode as prompt injection and other data-plane poisoning attacks: a tool accepts and executes guidance from an external, unauthenticated data source without validating it. What is notable here is scale and intent, since Sentry DSNs are deliberately public by design, so a single crafted payload could in principle be replayed against thousands of exposed projects simultaneously. Infosecurity Magazine reports this as part of a broader pattern of MCP-related and indirect prompt-injection disclosures affecting AI coding and browser agents this year.
For practitioners
Teams that expose Sentry DSNs (or similar public, write-only telemetry credentials) to client-side code should treat those tokens as an attack surface once any automation consumes their output. Before allowing AI coding agents to act on MCP tool responses, validate or sign telemetry data, and keep a human in the loop for any agent action that can execute code or touch credentials, rather than trusting tool output as pre-vetted.
What to watch
Track Tenet Security's full technical disclosure and any advisories from Sentry or from the makers of Claude Code, Cursor, and Codex. Watch for vendor changes that validate or sign MCP tool output, guardrails on agent-initiated remote actions, and independent proof-of-concept confirmations or exploitation reports from other researchers.
Key Points
- 1Tenet Security disclosed Agentjacking, which uses injected Sentry error events to hijack AI coding agents like Claude Code, Cursor, and Codex.
- 2Tenet tested the exploit against 100+ real targets with an 85% success rate and found 2,388 organizations with valid injectable Sentry DSNs.
- 3Teams should validate or sign MCP tool output and keep humans in the loop before letting AI agents execute code from telemetry data.
Scoring Rationale
A tested, working exploit chain (85% success rate across 100+ real targets, 2,388 organizations with exposed credentials) against widely used AI coding agents (Claude Code, Cursor, Codex) via a novel MCP/telemetry injection vector. Well-corroborated across Tenet's own disclosure and independent security trade press. Major, actionable security finding for any team running AI coding agents against real observability data.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems