New Agentjacking Assault Hijacks AI Coding Brokers to Execute Malicious Code

A newly disclosed Agentjacking assault class can silently weaponize AI coding brokers towards the very builders who depend on them, requiring no phishing, no server compromise, and no consumer interplay past a developer’s regular workflow of asking their AI assistant to analyze errors.

Tenet Safety’s Risk Labs developed and validated the method, demonstrating how a single injected error occasion authenticated utilizing nothing greater than a public credential present in any web site’s JavaScript supply code can hijack AI coding brokers into executing arbitrary code on developer machines.

The assault exploits a important architectural flaw on the intersection of Sentry’s occasion ingestion system, which accepts arbitrary payloads from anybody holding the Knowledge Supply Identify (DSN), and the Sentry MCP server, which returns that knowledge to AI brokers as trusted system output.

Sentry deliberately paperwork as protected to embed in frontend JavaScript, making it discoverable through JavaScript supply inspection, Censys searches, or GitHub code search, with out requiring a breach.

Agentjacking Assault Hijacks AI Coding Brokers

As soon as an attacker obtains the DSN, they POST a crafted error occasion to Sentry’s ingest endpoint, which accepts it with an HTTP 200 response and processes it identically to a authentic utility error.

The injected payload makes use of fastidiously formatted markdown headings, code blocks, and faux ## Decision sections that renders as content material structurally similar to Sentry’s personal MCP system templates.

When a developer asks their AI coding agent to repair unresolved Sentry points, the agent queries Sentry through MCP, receives the injected occasion, and is unable to tell apart it from authentic steering, executes the attacker-controlled npx command with the developer’s full system privileges.

The influence is extreme: surroundings variables together with AWS keys, GitHub tokens, Sentry auth tokens, git credentials, personal repository URLs, and developer id are silently exfiltrated to the attacker’s server.

Throughout managed validation waves, over 100 organizations had AI coding brokers act on injected errors, together with Claude Code, Cursor, and Codex, yielding an 85% exploitation success charge.

Confirmed victims spanned a Fortune 500 enterprise with a $250B+ mum or dad firm, a $2B+ internet hosting infrastructure supplier, scientific computing companies, and early-stage startups throughout six continents.

Notably, even a cloud safety vendor appeared among the many uncovered organizations, underscoring that neither a safety price range nor posture alone predicts security.

Tenet describes this because the Approved Intent Chain: the prevailing safety mannequin is constructed to catch unauthorized habits, and this assault comprises none.

Immediate-layer defenses proved equally ineffective. Brokers executed attacker payloads even when system prompts explicitly instructed them to ignore untrusted knowledge, confirming the weak spot is inherent to how present fashions course of MCP software output, not a misconfiguration that may be patched away.

Tenet disclosed the findings to Sentry on June 3, 2026. Sentry acknowledged the problem the identical day however declined to handle it on the root, describing the assault class as “technically not defensible” on the platform degree.

The danger extends effectively past Sentry, any MCP software integration returning externally influenced knowledge to an AI agent creates the identical vulnerability class, and the assault floor grows with each new software that joins the AI agent ecosystem.

Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.