Cybersecurity researchers at Tenet Security disclosed a new attack class called "Agentjacking" that can trick AI coding agents into executing attacker-controlled code, according to reporting by The Hacker News and Infosecurity Magazine. The technique uses a maliciously crafted Sentry error event delivered via a target's Sentry Data Source Name (DSN) to inject formatted instructions that AI assistants such as Claude Code and Cursor may interpret and run, Tenet's blog post and multiple outlets describe. Reported impacts include potential exposure of environment variables, Git credentials, private repository URLs, and developer identities, and Tenet says the attack can require no phishing, no server compromise, and no additional user interaction beyond a normal debugging workflow.
What happened
Tenet Security's Threat Labs demonstrated a novel attack class they call "Agentjacking," which uses crafted Sentry error events to induce AI coding assistants to run attacker-controlled code, according to Tenet's blog post and coverage by The Hacker News and Infosecurity Magazine. Per Tenet and reporting, the chain requires only knowledge of a project's Sentry Data Source Name (DSN), a write-only, frontend-embedded credential Sentry documents as safe to publish. Tenet and multiple outlets report that a successful exploitation path can expose environment variables, Git credentials, private repository URLs, and developer identities, and that the exploit does not depend on phishing or prior compromise of the victim's infrastructure.
Technical details
The public reporting and Tenet's writeup describe the attack flow as follows:
- •An attacker locates a target's Sentry DSN, which is commonly embedded in client-side JavaScript, Javascripts, or public configuration, per Infosecurity Magazine.
- •The attacker POSTs a malicious error event to Sentry's ingest endpoint using the DSN; no additional authentication beyond the DSN is required, per Tenet's disclosure.
- •The injected event contains carefully formatted markdown and context fields designed to mimic Sentry's system template.
- •When an AI coding agent queries Sentry via the Model Context Protocol (MCP) to retrieve unresolved errors, the Sentry MCP server returns the injected event; reporting by The Hacker News and Infosecurity states agents can render that response as trusted remediation guidance.
- •The agent then executes the embedded instructions, which run with the developer's local privileges, according to Tenet and multiple news accounts.
Editorial analysis
Agentjacking, as described in the sources, leverages implicit trust in telemetry and monitoring outputs that are surfaced to autonomous or semi-autonomous developer assistants. Similar classes of injection, for example prompt injection and data-plane poisoning, exploit the same failure mode: a tool accepts and executes guidance from an external, unauthenticated or insufficiently validated data source. This instance highlights how developer-centric telemetry (error reports, crash logs, debugging artifacts) can become an execution surface when those artifacts are consumed by automation.
Context and significance
For security and engineering teams, the immediate significance is twofold. First, widely published, write-only credentials like Sentry DSNs expand the scale at which an attacker can inject hostile content because the credential is intentionally exposed in many client-side projects, as reported by Infosecurity Magazine. Second, the integration pattern where AI assistants retrieve and act on tool output without human-in-the-loop validation creates a direct path from injected text to code execution on developer machines, a scenario multiple outlets characterize as circumventing traditional delivery vectors such as phishing or malware hosting.
What to watch
Observers should track Tenet Security's full technical blog post and any vendor advisories from Sentry and makers of AI coding assistants cited in reporting. Also monitor whether vendors update MCP-style integrations, introduce validation or signing of tool outputs, or add guardrails to agent workflows that perform remote fix actions. Finally, watch for independent tests or proofs-of-concept published by third parties and for any published metrics on affected projects or exploitation rates from telemetry providers.
For practitioners
Teams embedding client-side monitoring and exposing DSNs should treat the design assumptions behind public, write-only tokens as an attack surface when those tokens can feed automation. Developers, security engineers, and SREs deploying AI-assisted workflows should consider threat models where machine agents act on tool outputs without explicit human review.
Note on sources
The factual claims above are reported by Tenet Security in its Threat Labs blog post and corroborated in coverage by The Hacker News and Infosecurity Magazine, which describe the Sentry-based injection vector, the stepwise attack chain, and the potential for sensitive data exposure.
Scoring Rationale #
This disclosure describes a high-impact, practical attack chain enabling remote code execution on developer machines via AI assistants and widely used telemetry tooling. The attack targets common integration patterns and therefore matters to practitioners building AI-assisted developer workflows.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.