{"id":13607,"date":"2026-06-14T10:03:50","date_gmt":"2026-06-14T10:03:50","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/14\/new-agentjacking-attack-hijacks-your-ai-coding-agent-to-run-code-from-a-hackers-server\/"},"modified":"2026-06-14T10:03:50","modified_gmt":"2026-06-14T10:03:50","slug":"new-agentjacking-attack-hijacks-your-ai-coding-agent-to-run-code-from-a-hackers-server","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/14\/new-agentjacking-attack-hijacks-your-ai-coding-agent-to-run-code-from-a-hackers-server\/","title":{"rendered":"New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker\u2019s Server"},"content":{"rendered":"

New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker\u2019s Server
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

New \u201cAgentjacking\u201d attack that hijacks AI coding agents<\/a> and silently executes attacker-controlled code on developer machines using nothing more than a single injected Sentry error.<\/p>\n

The technique turns trusted AI assistants like Claude Code and Cursor into an execution layer for malicious commands, without phishing, malware delivery, or any breach of the victim\u2019s infrastructure.<\/p>\n

In this attack, the entry point is Sentry\u2019s public Data Source Name (DSN)<\/a>. This write-only credential is routinely embedded in frontend JavaScript and indexed across the web.<\/p>\n

Tenet\u2019s researchers used passive reconnaissance methods, including JavaScript inspection, Censys searches, CDN loader analysis, and code search, to identify 2,388 organizations with injectable DSNs, including 71 in the Tranco top-1M.<\/p>\n

With only the DSN, an attacker can submit arbitrary error events to Sentry\u2019s ingest API, controlling fields such as messages, tags, context, extra data, breadcrumbs, user information, stack traces, and fingerprints.<\/p>\n

Sentry accepts these forged events as legitimate application errors, allowing attackers to inject fully controlled content into monitoring workflows.<\/p>\n

\"The
The Agentjacking chain<\/em> (source :tenetsecurity)<\/figcaption><\/figure>\n

The core architectural flaw sits at the junction of Sentry\u2019s event ingestion pipeline and its Model Context Protocol (MCP) integration<\/a>, which feeds error data back to AI coding agents as trusted system output.<\/p>\n

Agentjacking Attack Hijacks AI Coding Agents<\/strong><\/h2>\n

Attackers can embed carefully crafted Markdown into injected errors, particularly within message and context fields, to influence how content is displayed to AI agents.<\/p>\n

The content can appear as a legitimate Sentry \u201cResolution\u201d section with headings, code blocks, and tables, making it indistinguishable from genuine remediation guidance.<\/p>\n

When a developer asks their agent to \u201cfix unresolved Sentry issues,\u201d the AI queries Sentry via MCP, retrieves the crafted event, and interprets the attacker\u2019s command as legitimate diagnostic steps, not as untrusted input.<\/p>\n

Tenet\u2019s proof-of-concept payload directed agents to execute an npx command that pulled a controlled validation package from the public npm registry<\/a> and ran it with the developer\u2019s full local privileges.<\/p>\n

In their controlled campaign, this package confirmed the presence of sensitive material by probing environment variables, checking the sizes of configuration files such as ~\/.aws\/config and ~\/.docker\/config.json, and inspecting network interfaces.<\/p>\n

Then sending scoped exposure metadata tightly back to a Tenet beacon server under explicit \u201cResponsibleDisclosure [SECURITY SCAN]\u201d headers.<\/p>\n

Tenet reports more than 100 confirmed cases<\/a> of real-agent execution across a Fortune 500 cloud enterprise, a multi-billion-dollar hosting provider, scientific software firms, startups, and individual developers.<\/p>\n

\"\"<\/figure>\n
\"The
The victim saw only benign diagnostics while the agent silently exposed cloud, source-control, and cluster credentials to an attacker (source : tenetsecurity)<\/figcaption><\/figure>\n

The attacks achieved an overall success rate of about 85% across leading AI coding agents. What makes Agentjacking particularly dangerous is that every step in the chain is authorized and looks benign to traditional defenses.<\/p>\n

Sentry is used as designed, DSNs are public by policy, the npm package is fetched over standard channels, and the AI agent executes commands as part of its normal assistance workflow.<\/p>\n

\"Confirmed
Confirmed and exposed organizations span six continents<\/em> (source :tenetsecurity)<\/figcaption><\/figure>\n

Endpoint detection, WAFs, IAM policies<\/a>, and firewalls detect no obvious policy violations because the observable behavior matches a developer-approved tool running approved commands on a trusted observability platform.<\/p>\n

Tenet describes this as an \u201cAuthorized Intent Chain,\u201d arguing that current security models, which focus on blocking unauthorized actions or malicious binaries, lack effective visibility into attacks that operate solely through trusted context and legitimate tool output.<\/p>\n

The research also underscores that this is not a single-vendor bug but a systemic AI-agent problem.<\/p>\n

Any MCP integration that returns externally influenced data to agents carries a similar risk, as the data may contain hidden instructions controlled by attackers.<\/p>\n

\n
\n