How the Attack Works
Security researchers at Tenet Security have uncovered a new attack vector called Agentjacking that targets AI-powered coding assistants. The attack exploits the way AI agents like Claude Code and Cursor interact with Sentry, an open-source error-tracking platform. By crafting a fake error report containing malicious instructions, an attacker can trick an AI coding agent into executing arbitrary code on a developer’s machine.
The attack begins when an attacker obtains a target’s Sentry Data Source Name (DSN), which is a publicly visible credential embedded in websites. The attacker then sends a specially crafted error event to Sentry’s ingest endpoint using that DSN. When a developer asks their AI coding assistant to fix unresolved Sentry issues, the agent queries Sentry and retrieves the malicious event, interpreting it as legitimate diagnostic guidance and running the attacker’s code with the developer’s full system privileges.
Impact and Scope
This vulnerability represents a significant shift in attack strategy, as it targets the trusted relationship between developers and their AI tools. The attack bypasses traditional security measures like EDR, WAF, firewalls, and VPNs because each action in the chain is technically authorized. Tenet Security identified at least 2,388 organizations with valid injectable DSNs and achieved an 85% exploitation success rate during controlled testing against over 100 organizations.
Sentry has acknowledged the issue but declined to implement a full fix, stating it is “technically not defensible.” However, the company activated a global content filter to block a specific payload string. Successful exploitation can expose sensitive data including environment variables, Git credentials, private repository URLs, and developer identities, all without requiring phishing or prior server compromise.
Source: https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
