Hourly ·
The Bug Report That Hacks Back: Agentjacking Turns Your AI Coding Agent Against You
A new attack class exploits the trust developers place in AI coding agents by injecting malicious commands into fake Sentry error reports — and 85% of the time, the agent just runs them.
The Authorized Attack
Security firm Tenet Security just documented a new class of attack they call agentjacking, and it's quietly the most important cybersecurity story of the month. The premise is deceptively simple: take a Sentry DSN — a public, write-only credential embedded in the JavaScript of millions of websites by design — and POST a fake error report containing a markdown-injected payload. When a developer asks Claude Code, Cursor, or OpenAI Codex to "investigate unresolved Sentry issues," the AI agent retrieves the poisoned error via the Model Context Protocol, interprets the injected markdown as legitimate guidance, and executes the attacker's command on the developer's own machine.
The numbers from Tenet's validation are sobering. They found 2,388 organizations with injectable DSNs through passive reconnaissance alone, including 71 in the Tranco top-1M. The attack succeeded 85% of the time across controlled tests. One confirmed execution hit a developer inside a 50 billion Fortune 100 technology company, reaching a live AWS secret access key and identifiers for other connected agents. It worked behind corporate VPNs, inside sandboxed CI pipelines, on both macOS and Windows. No phishing. No malware. No stolen passwords. Just a POST request to an endpoint that's open by design.
Why Nothing Catches It
The reason this attack is so dangerous is what Tenet calls the "Authorized Intent Chain" — every single step is authorized. The attacker never touches the victim's infrastructure. The developer never approves any code. The agent does exactly what it was asked to do. EDR, WAF, IAM, VPNs, and firewalls register nothing worth flagging because, from their perspective, nothing unusual happened. The vulnerability isn't a bug in Sentry's code or a flaw in any single model — it's an architectural mismatch: observability platforms were designed for humans reading error reports, not autonomous software interpreting and acting on them. Sentry itself declined root-cause remediation, calling comprehensive platform-level fixes "technically not defensible," and deployed only a content filter for the specific disclosed payload string.
The deeper lesson cuts at the heart of the AI agent moment. Developers have trained themselves to trust their coding agents. When Claude Code tells you to run a command, you run it. The agent can't tell the difference between data it reads and an instruction to act. As one researcher put it: "Developers have trained themselves to trust their coding agents. When Claude Code tells you to run a command, you run it. That trust is exactly the attack surface." The trust we've built into the agentic AI stack — the same trust that makes these tools productive — is the very thing that makes them exploitable. Agentjacking isn't the last attack of its kind. It's the first one with a name.
Sources: The New Stack · The Hacker News · Cloud Security Alliance
Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.
