Cybersecurity researchers have disclosed a newly identified attack technique called Agentjacking, which can manipulate artificial intelligence coding assistants into executing malicious code on developers’ machines. The attack, identified by cybersecurity firm Tenet Security, exploits a weakness involving Sentry, an open source error tracking and performance monitoring platform widely used by software developers. According to researchers Ron Bobrov, Barak Sternberg, and Nevo Poran, the method abuses the interaction between Sentry’s event ingestion system and the Sentry Model Context Protocol (MCP) server, creating an opportunity for attackers to inject harmful instructions that AI coding agents may interpret as trusted system guidance. The issue has raised concerns over the security risks associated with growing enterprise reliance on AI powered development tools.
Researchers explained that the attack begins when a threat actor identifies a target organization’s Sentry Data Source Name (DSN), which is a public and write only credential commonly embedded in websites. Using this information, attackers can send malicious error reports to Sentry through a POST request. These injected reports contain carefully structured markdown hidden within message fields and context keys, making the content visually appear like legitimate diagnostic instructions when retrieved by coding assistants through MCP integration. When developers ask AI tools such as Claude Code or Cursor to resolve unresolved Sentry issues, the coding agent retrieves these manipulated error events and may execute attacker controlled commands under the assumption that the instructions are authentic troubleshooting guidance. Researchers noted that this process allows malicious code to run with the same privileges as the developer, potentially exposing sensitive information such as environment variables, Git credentials, private repository links, and developer identities.
Tenet Security stated that the attack is particularly concerning because threat actors are not required to compromise infrastructure, conduct phishing campaigns, or exploit vulnerabilities inside an organization’s systems. Instead, the malicious instructions are disguised within seemingly legitimate error reports and delivered through trusted workflows already used by developers. Researchers highlighted that AI agents often treat data received from external services connected through MCP as reliable information, creating a trust gap that can be manipulated. Because the injected markdown appears visually identical to Sentry’s legitimate resolution content, coding agents may struggle to differentiate authentic guidance from attacker crafted instructions. Tenet described the issue as a significant architectural weakness in how AI systems process trusted external content, warning that the attack effectively turns the developer’s own AI assistant into an unintended execution channel.
During controlled testing, Tenet Security reported identifying at least 2,388 organizations with valid injectable DSNs that could potentially be exposed to this attack method. Researchers said they tested the approach against more than 100 organizations and recorded an 85 percent success rate when exploiting injected errors through widely used AI coding assistants. Sentry acknowledged the issue but reportedly chose not to implement a complete fix, arguing that the problem is technically difficult to defend against. However, the company is said to have introduced a global content filter designed to block a specific payload string linked to the attack. Researchers cautioned that as organizations continue integrating AI coding tools into development environments, the security of those agents is becoming an increasingly important concern, particularly when trusted external systems can be manipulated to influence AI driven actions.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
