Researchers have revealed what they claim to be a “new class of attack” which tricks AI coding agents into executing arbitrary code on developer machines.

Tenet Security, which specializes in the security of autonomous AI agent, said that “agentjacking” attacks exploit an architectural flaw in the Sentry app performance monitoring and error tracking tool, which is popular with developers.

By using the techniques described in the Tenet report, an attacker would inject malicious commands into Sentry error events which are impossible to distinguish from the tool’s own remediation guidance.

AI coding agents would then read and execute these instructions, in a way similar to an indirect prompt injection attack.

Read more on coding agents: Cline Kanban Flaw Lets Websites Hijack AI Coding Agents

“The danger lies in this implicit trust. When an AI agent queries Sentry for unresolved errors, it receives the response and acts on it – just as a developer would,” Tenet explained in a blog post.

“But unlike a developer, the agent cannot verify whether an error event was generated by a real application crash or injected by an attacker. The agent’s trust in MCP tool responses creates a direct pathway from injected data to code execution.”

A Step-by-Step Attack Methodology

The report explained exactly how an attack would work:

1.  An attacker finds a target’s Sentry DSN. This is a public, write-only credential that Sentry documents as safe to embed in frontend JavaScript
2. They send a malicious error event to Sentry’s ingest endpoint via POST. No authentication is needed beyond the DSN
3. The injected event contains “carefully formatted markdown” in the message field and context key names. When returned to an AI agent via the Sentry MCP server, this is rendered as structured content visually identical to the Sentry’s system template
4. When a developer asks their AI coding agent to “fix unresolved Sentry issues” or similar, the agent queries Sentry via MCP and receives the malicious event. It can’t distinguish this from legitimate guidance
5. The agent executes the code, which runs with the developer’s full privileges

Targeting Trusted Tools

Tenet said that agentjacking is particularly dangerous because no phishing is required, and Sentry’s DSN is “intentionally public and embedded in frontend JavaScript.”

Agents can’t tell real from fake guidance, and once a payload is crafted it could be injected into thousands of projects simultaneously.

The researchers tested their theory by confirming exploitability against over 100 real-world targets. They had an 85% success rate across the most popular agents on the market, including Claude Code, Cursor and Codex.

They also found at least 2388 organizations exposed with valid injectable DSNs.

A single malicious instruction could be crafted to steal CI/CD pipeline credentials, access private source code repositories, compromise cloud infrastructure, and establish persistent access, the report warned.

The attack bypasses existing security tools like EDR and web app firewalls because there’s nothing malicious to detect, and agents executed the payload even when prompted to ignore untrusted data.

“While AI coding agents are transforming software development, their implicit trust in MCP tool responses creates a critical new attack surface. The convenience of an AI assistant connected to your observability platform comes with the risk of that assistant being weaponized against you,” the report concluded.

“Security leaders must recognize that MCP integrations are the next frontier for software supply chain attacks. It is crucial to begin evaluating: which tools your AI agents connect to, whether those tools return untrusted data, and what controls exist to prevent injected data from triggering code execution.”