Agentjacking Attack Exposes Critical Trust Flaw in AI Coding Agents

While everyone stresses about the launch of Mythos and its peers, there may be a new angle to cybercrime for IT defense teams to worry about: “agentjacking.” A new attack documented by Tenet Security, proven in tests against thousands of AI coding agents worldwide, abuses trusted inputs in a very simple way and is looked at as being “technically indefensible.”

Agentjacking threatens all AI coding agents with MCP integrations

In addition to being “indefensible,” the agentjacking attack takes only rudimentary hacking ability to pull off. It abuses the fact that Sentry is broadly a trusted input source for AI coding agents, and only a publicly available credential is required to get the ball rolling.

Tenet presents a proof-of-concept that they have tested against thousands of systems, including Fortune 500 companies and one in the Fortune 100. They claim an 85% success rate overall, across many different types of setups and AI coding agents (including the biggest names like Claude Code).

The attack centers on forging error reports trusted implicitly by AI coding agents when sent by the Sentry MCP server. The trouble is, anyone can send an error report to a target with the Sentry DSN credential widely found out in the open in simple manual reviews of public-facing website code, Censys searches for ingest.sentry.io in HTTP bodies, or a GitHub code search.

Malicious instructions are embedded in the error report. When the AI coding agent goes to address the report, it executes the instructions. One cannot successfully instruct the agents to be more suspicious of the instructions it finds in reports, at least according to the researchers, nor does putting them in a sandbox help at all.

The hacker just needs to know how to find the target’s Sentry credential, trivially done with online instructions, and then craft the malicious request in the usual style of Sentry’s MCP system template. From there they just need a place to exfiltrate the stolen data to. This can include AWS keys, GitHub tokens, Sentry auth tokens, git credentials, private repository URLs, and developer identities.

The biggest problem is that this is not a patchable item at either end. This is a core function of Sentry, developed before AI coding agents had developer access and permissions. The AI developers do not really have a way to block this either, save potentially middleware. Almost equal of a problem is that this attack isn’t really detectable either, because it never engages in unauthorized access that would flip a flag with automated defense systems.

LLM chatbots not susceptible, but most automated coding assistants are

The list of impacted AI coding agents is long, with over 100 in total found to be susceptible to agentjacking. In addition to Claude Code, there are other popular entries on the list such as Codex and Cursor. If a coding agent uses an MCP integration to take in outside input, it’s a safe bet it can be compromised in this way.

The testing found 2,388 organizations that are exposed, though it tested the feasibility of the attack on a smaller amount. The most “successful” of these attack tests, the one on the unnamed Fortune 100 company, compromised all of its AI coding agents with just one injection.

What official word from Sentry there is thus far is that this is something they cannot stop at their end. It falls more to AI developers to implement middleware, but Tenet has also come up with an open source drop-in config called “agent-jackstop” for end users that works to harden Claude Code and several other models.