Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines. Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report crafted using Sentry, an open-source error-tracking and performance-monitoring platform. "The attack

According to Tenet Security’s research, the Agentjacking attack abuses AI coding agents connected to Sentry via MCP by injecting malicious instructions into crafted error events sent through a publicly known Sentry DSN, causing agents like Claude Code or Cursor to execute attacker-controlled code with the developer’s privileges.[1][4] The attack exploits architectural trust in external MCP tools: AI agents cannot distinguish legitimate Sentry crash reports from attacker-planted ones, enabling arbitrary code execution and exposure of sensitive data such as environment variables and Git credentials without phishing or prior compromise.[1] CyberSE.AI’s analysis: This is a clear case of AI agent abuse and AI supply-chain style risk at the tool-integration layer, indicating that agent architectures must treat all external telemetry (e.g., Sentry, logging, APM) as untrusted input and constrain tool-execution privileges. Organizations should implement business-logic audits of agent workflows, harden MCP/tool use with allowlists and sandboxing, and run continuous red-teaming to simulate similar indirect prompt injection and tool-hijack scenarios before attackers do.