{"slug": "agentjacking-a-fake-bug-report-can-hijack-your-ai-coding-agent", "title": "Agentjacking: a fake bug report can hijack your AI coding agent", "summary": "Security researchers at Tenet Security have discovered a new attack vector called Agentjacking that hijacks AI coding agents using a fake bug report sent through the Sentry error-tracking tool. The attack requires no malware, stolen passwords, or system breaches, and successfully compromised Claude Code, Cursor, and Codex agents with an 85% success rate in controlled tests. Tenet found 2,388 exposed organizations, and the attack bypasses EDR, firewalls, IAM, and VPNs because every action in the chain is authorized by the developer's own credentials.", "body_md": "Security researchers have found a way to hijack AI coding agents with nothing but a fake bug report. They call it Agentjacking. It needs no malware, no stolen password, and no breach of the target.\n\nThe attack, disclosed by Tenet Security, turns the coding agent into the weapon. When a developer asks the agent to fix an error, the agent runs the attacker’s code instead, with the developer’s own privileges, on the developer’s own machine.\n\n## How the Agentjacking attack works\n\nIt starts with Sentry, a popular error-tracking tool. Sentry lets any app send it error reports using a public key called a DSN, which sits openly in website code by design.\n\nAn attacker POSTs a fake error to that endpoint. No password is needed. The report hides a “Resolution” section with a command, formatted to look exactly like Sentry’s own advice.\n\nCoding agents read Sentry through the Model Context Protocol, the standard that lets agents pull in outside tools. The agent treats the response as trusted. It cannot tell a real crash from a planted one. So when the developer says “fix the unresolved Sentry issues,” the agent runs the attacker’s command.\n\n## The agent is the attack surface now\n\nAI coding agents have gone from autocomplete to running terminals, and the market is booming; one vibe-coding startup recently [hit $500m in revenue](https://thenextweb.com/news/lovable-build-economy-500m-arr-vibe-coding). That power is the problem.\n\nThe attack worked across the big agents. Tenet says it hijacked [Claude Code](https://thenextweb.com/news/anthropic-claude-fable-5-mythos-public-release-ipo), Cursor, and Codex, with an 85 per cent success rate in controlled tests. It found 2,388 organisations exposed, from a $250bn enterprise down to solo developers, and even a cloud-security vendor.\n\nThe payoff for an attacker is severe. One injected error can reach environment variables, AWS keys, GitHub tokens, git credentials, and private repository URLs. From there, the path runs to CI/CD pipelines and cloud infrastructure.\n\nThe scariest part is what does not catch it. The attack slips past EDR, firewalls, IAM, and VPNs, because nothing in the chain is unauthorised. Tenet calls it the “Authorised Intent Chain.” Prompts do not help either. The agents ran the code even when told to ignore untrusted data.\n\n## Nobody wants to own the fix\n\nTenet told Sentry on 3 June. Sentry acknowledged the problem but declined to fix it at the root, calling it “technically not defensible.” It added a filter to block one specific payload string, which treats the symptom, not the cause.\n\nThat standoff is the real story. The flaw is not in Sentry alone. It is in how agents handle any outside data, so the same risk runs through support tickets, GitHub issues, and documentation. [A separate test recently phished an AI email agent](https://thenextweb.com/news/openclaw-ai-agent-phishing-varonis-pinchy) into leaking AWS keys.\n\nThe lesson lands as enterprises rush [to put agents into production](https://thenextweb.com/news/generative-ai-to-agentic-ai-enterprise-finance). An agent wired into your tools is also a new way in. As Tenet puts it, the only place left to stop this is the moment the agent decides to act.\n\n## Get the TNW newsletter\n\nGet the most important tech news in your inbox each week.", "url": "https://wpnews.pro/news/agentjacking-a-fake-bug-report-can-hijack-your-ai-coding-agent", "canonical_source": "https://thenextweb.com/news/agentjacking-ai-coding-agents-sentry", "published_at": "2026-06-12 13:06:15+00:00", "updated_at": "2026-06-12 14:11:19.695545+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "artificial-intelligence", "ai-tools", "ai-research"], "entities": ["Tenet Security", "Sentry", "Model Context Protocol", "Lovable"], "alternates": {"html": "https://wpnews.pro/news/agentjacking-a-fake-bug-report-can-hijack-your-ai-coding-agent", "markdown": "https://wpnews.pro/news/agentjacking-a-fake-bug-report-can-hijack-your-ai-coding-agent.md", "text": "https://wpnews.pro/news/agentjacking-a-fake-bug-report-can-hijack-your-ai-coding-agent.txt", "jsonld": "https://wpnews.pro/news/agentjacking-a-fake-bug-report-can-hijack-your-ai-coding-agent.jsonld"}}