A new exploit turns trusted error-monitoring tools into backdoors for hijacking AI coding assistants like Claude Code, Cursor, and Codex
Your AI coding assistant might be taking orders from someone else. Tenet Security disclosed a new attack vector called “Agentjacking” on June 12, one that successfully hijacked AI coding agents 85% of the time during controlled testing, all without tripping a single security alarm.
The attack targets a surprisingly mundane piece of infrastructure: Sentry Data Source Names (DSNs), the public endpoints that error-monitoring tools use to collect crash reports and telemetry data. Tenet’s researchers found that by injecting crafted fake error reports through these exposed DSNs, attackers can trick AI coding agents into executing arbitrary code on developer machines with full user privileges.
How Agentjacking actually works #
Sentry DSNs are designed to be public and write-only. They’re meant to receive error reports from applications running in production. The problem starts when AI coding agents integrate with Sentry through the Model Context Protocol (MCP) and treat incoming telemetry data as trusted output. The AI agent sees what looks like a legitimate error report, assumes it came from a real application crash, and acts on the instructions embedded inside it. Those instructions can include arbitrary code that runs with whatever permissions the developer has on their machine.
The attack requires no prior breach, no malware installation, and no compromised credentials. An attacker just needs to find an exposed Sentry DSN. Tenet’s researchers identified at least 2,388 organizations globally with publicly exposed, injectable Sentry DSNs, including at least one Fortune 100 company valued at $250 billion.
Tenet tested the technique across more than 100 AI coding agent instances, targeting popular tools including Claude Code, Cursor, and Codex. The 85% success rate across those tests is the kind of number that should make security teams cancel their afternoon meetings.
Why traditional security tools miss it entirely #
No endpoint detection and response (EDR) tool flagged the activity during testing. No web application firewall (WAF) caught the malicious payloads. Identity and access management (IAM) systems didn’t raise alerts. Firewalls were irrelevant. The data flows through legitimate channels, uses expected protocols, and the code execution happens under the developer’s own credentials.
Tenet’s funding and the defensive playbook #
Alongside the Agentjacking disclosure, Tenet Security announced it raised $6 million in seed funding. The round was led by The Westly Group and MizMaa Ventures. The capital is earmarked for building defensive tools against Agentjacking and similar AI agent exploitation techniques.
Tenet released open-source configurations designed to harden AI coding agents against this type of exploitation and has scheduled a webinar on mitigation strategies for July 9.
For organizations running AI coding agents in production, the immediate question is straightforward: are your Sentry DSNs exposed, and are your AI agents consuming that data without validation? Given that Tenet found 2,388 organizations in this exact position, the odds of the answer being “yes” are uncomfortably high. Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our