CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 13, 2026

New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server

Cybersecurity News Archived Jun 13, 2026 ✓ Full text saved

New “Agentjacking” attack that hijacks AI coding agents and silently executes attacker-controlled code on developer machines using nothing more than a single injected Sentry error. The technique turns trusted AI assistants like Claude Code and Cursor into an execution layer for malicious commands, without phishing, malware delivery, or any breach of the victim’s infrastructure. In […] The post New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server appeared first

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeAI New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server By Abinaya June 13, 2026 New “Agentjacking” attack that hijacks AI coding agents and silently executes attacker-controlled code on developer machines using nothing more than a single injected Sentry error. The technique turns trusted AI assistants like Claude Code and Cursor into an execution layer for malicious commands, without phishing, malware delivery, or any breach of the victim’s infrastructure. In this attack, the entry point is Sentry’s public Data Source Name (DSN). This write-only credential is routinely embedded in frontend JavaScript and indexed across the web. Tenet’s researchers used passive reconnaissance methods, including JavaScript inspection, Censys searches, CDN loader analysis, and code search, to identify 2,388 organizations with injectable DSNs, including 71 in the Tranco top-1M. With only the DSN, an attacker can submit arbitrary error events to Sentry’s ingest API, controlling fields such as messages, tags, context, extra data, breadcrumbs, user information, stack traces, and fingerprints. Sentry accepts these forged events as legitimate application errors, allowing attackers to inject fully controlled content into monitoring workflows. The Agentjacking chain (source :tenetsecurity) The core architectural flaw sits at the junction of Sentry’s event ingestion pipeline and its Model Context Protocol (MCP) integration, which feeds error data back to AI coding agents as trusted system output. Agentjacking Attack Hijacks AI Coding Agents Attackers can embed carefully crafted Markdown into injected errors, particularly within message and context fields, to influence how content is displayed to AI agents. The content can appear as a legitimate Sentry “Resolution” section with headings, code blocks, and tables, making it indistinguishable from genuine remediation guidance. When a developer asks their agent to “fix unresolved Sentry issues,” the AI queries Sentry via MCP, retrieves the crafted event, and interprets the attacker’s command as legitimate diagnostic steps, not as untrusted input. Tenet’s proof-of-concept payload directed agents to execute an npx command that pulled a controlled validation package from the public npm registry and ran it with the developer’s full local privileges. In their controlled campaign, this package confirmed the presence of sensitive material by probing environment variables, checking the sizes of configuration files such as ~/.aws/config and ~/.docker/config.json, and inspecting network interfaces. Then sending scoped exposure metadata tightly back to a Tenet beacon server under explicit “ResponsibleDisclosure [SECURITY SCAN]” headers. Tenet reports more than 100 confirmed cases of real-agent execution across a Fortune 500 cloud enterprise, a multi-billion-dollar hosting provider, scientific software firms, startups, and individual developers. The victim saw only benign diagnostics while the agent silently exposed cloud, source-control, and cluster credentials to an attacker (source : tenetsecurity) The attacks achieved an overall success rate of about 85% across leading AI coding agents. What makes Agentjacking particularly dangerous is that every step in the chain is authorized and looks benign to traditional defenses. Sentry is used as designed, DSNs are public by policy, the npm package is fetched over standard channels, and the AI agent executes commands as part of its normal assistance workflow. Confirmed and exposed organizations span six continents (source :tenetsecurity) Endpoint detection, WAFs, IAM policies, and firewalls detect no obvious policy violations because the observable behavior matches a developer-approved tool running approved commands on a trusted observability platform. Tenet describes this as an “Authorized Intent Chain,” arguing that current security models, which focus on blocking unauthorized actions or malicious binaries, lack effective visibility into attacks that operate solely through trusted context and legitimate tool output. The research also underscores that this is not a single-vendor bug but a systemic AI-agent problem. Any MCP integration that returns externally influenced data to agents carries a similar risk, as the data may contain hidden instructions controlled by attackers. Current AI models cannot reliably distinguish descriptive data from embedded instructions, especially when those instructions appear in seemingly trusted logs, metrics, or error messages. Tenet disclosed its findings to Sentry on June 3, 2026; Sentry acknowledged the issue and introduced a global content filter for a specific payload string. Sentry called the issue “technically not defensible” and deferred mitigation to model vendors (source :tenetsecurity) Reportedly characterized the underlying class of attack as “not technically defensible” at the ingestion layer, instead pointing to model-side middleware as a mitigation. For defenders, the Agentjacking work signals a new era in AI supply chain risk, where the AI agent itself becomes the primary attack surface. Security teams need to reassess which tools their AI agents interact with and whether those tools accept untrusted or anonymous input. What runtime controls are in place to prevent injected content from automatically translating into code execution on developer endpoints. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain Hackers Can Hijack Claude Code MCP Traffic to Steal OAuth Tokens Windows BitLocker 0-Day Vulnerability Allows Attackers to Bypass Security Feature PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks Latest News Cyber Security News Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication Cyber Security Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive Cyber Security News Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks Cyber Security News Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection Cyber Security News Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 13, 2026
    Archived
    Jun 13, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗