Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Staff Editor 2026-06-12
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html

Publish Date: 2026-06-12 08:04:00

Source Domain: thehackernews.com

Ravie LakshmananJun 12, 2026Artificial Intelligence / Vulnerability

Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines.

Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report crafted using Sentry, an open-source error-tracking and performance-monitoring platform.

“The attack exploits a critical architectural flaw at the intersection of Sentry’s event ingestion (which accepts arbitrary payloads from anyone with the DSN) and the Sentry MCP server (which returns this data to AI agents as trusted system output),” security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran said.

The idea is to inject crafted input into Sentry error events, which are then interpreted by coding agents like Claude Code and Cursor as legitimate diagnostic resolution steps and run attacker-controlled code.

A successful attack of this kind can expose sensitive data, including environment variables, Git credentials, private repository URLs, and developer identities, without having to rely on methods like phishing or prior server compromise.

The problem is rooted in the implicit trust associated with connecting to external services using Model Context Protocol (MCP). Because an AI agent is unable to distinguish between an error event generated by a real application crash or injected by an attacker, it creates a pathway to arbitrary code execution when the agent processes the response.

The attack chain devised by Tenet is as follows –

  • An attacker finds a target’s Sentry Data Source Name (DSN), a public, write-only credential that’s embedded in websites.
  • The attacker sends a malicious error event to Sentry’s ingest endpoint via a POST request using the DSN.
  • The injected event contains “carefully formatted markdown” in the message field and context key names. When the Sentry MCP server…

Source

More Stories

Amazon CEO Warns of AI Cybersecurity Threats Before US Export Restrictions, ETEnterpriseai

Amazon CEO Warns of AI Cybersecurity Threats Before US Export Restrictions, ETEnterpriseai

Staff Editor 2026-06-14
PNP urges cybersecurity review after hacking of gov’t websites

PNP urges cybersecurity review after hacking of gov’t websites

Staff Editor 2026-06-14
Onslow County Schools impacted by cybersecurity crime, officials say

Onslow County Schools impacted by cybersecurity crime, officials say

Staff Editor 2026-06-13

Terms and Conditions - Privacy Policy