Tenet Security's Threat Labs said in June 2026 that it had demonstrated a new attack technique called "Agentjacking" that hijacks AI coding agents such as Claude Code and Cursor through fake error reports, getting them to run an attacker's code with developer privileges. Notably, it requires no phishing, no malware and no server break-in.
Threat Disclosure · AI Coding Agents
"Agentjacking": Hijacking AI Coding Agents with Fake Error Reports
Attackers abuse a public Sentry DSN to inject fake errors. When agents like Claude Code and Cursor read them via the MCP server, they treat the content as trusted fix instructions — running attacker code with developer privileges. No phishing. No malware. No server breach.
85%
Exploitation success rate in the verification wave
2,388
Exposed organizations, from Fortune 500 to solo devs
100+
AI agents responded, incl. Claude Code, Cursor, Codex
Attack success rate, drawn to scale
85%
Hijacked & executed code
Nearly 6 in 7 targeted agents were steered into running attacker-supplied code.
How the chain works
1 · INJECT
Push fake error via public Sentry DSN — no auth needed
→
2 · READ
Agent queries the error through Sentry's MCP server
→
3 · EXECUTE
Installs typosquatted npm package; leaks env variables
The architectural flaw
Agents treat logs, tickets and Sentry events as trusted instructions — so a public-by-design error channel becomes a command channel.
Public DSN
Embedded in frontend JS, readable without authentication
Spoofed metadata
Crafted to fake "diagnostic only" fixes and permission flags
Proposed mitigations
Treat Sentry issues as untrusted input — symptoms only
Approve command execution separately
Restrict package installs to code changes
Sandbox + outbound traffic restrictions
The deeper concern
Prompt hygiene alone is insufficient. Provenance verification, sandboxing and review must be product requirements — Agentjacking highlights an existing "lack of boundaries" in AI agents.
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…