RSS

A Fake Bug Report Hijacks Your AI Coding Agent – and Nothing Catches It

patrickdavey1 pts0 comments

A Fake Bug Report Hijacks Your AI Coding Agent - and Nothing Catches It. - Tenet Security

Skip to content

Book a demo

Book a demo

","library":"fa-solid"},"toggle":"burger"}" data-widget_type="nav-menu.default">

Blog

Threat Labs

A Fake Bug Report Hijacks Your AI Coding Agent – and Nothing Catches It.

June 9, 2026

min read

Tenet Threat Labs has demonstrated a new class of attack "Agentjacking" that hijacks AI coding agents into running attacker-controlled code on a developer’s machine, triggered by a single fake error report and invisible to every security control. Using only public Sentry APIs, breaching nothing, we found 2,388 organizations exposed, saw 100+ agents act on injected errors in controlled testing, with confirmed agent execution at organizations spanning from Fortune 500 enterprise down to independent developers.

Figure 1 – The Agentjacking chain. Every step is authorized, which is why no security control sees it.

Executive Summary

New research by Tenet Security’s Threat Labs demonstrates how a single injected error event requiring no authentication beyond a public credential found in any website’s source code can hijack AI coding agents into executing arbitrary code on developer machines.

The attack exploits a critical architectural flaw at the intersection of Sentry’s event ingestion (which accepts arbitrary payloads from anyone with the DSN) and the Sentry MCP server (which returns this data to AI agents as trusted system output). By injecting crafted input into Sentry error events, an attacker creates instructions that are visually and structurally indistinguishable from Sentry’s own remediation guidance. AI coding agents including Claude Code and Cursor interpret these as legitimate ‘diagnostic resolution steps’ and execute attacker-controlled npm packages.

The impact: a single injected error puts environment variables (AWS keys, GitHub tokens, Sentry auth tokens), git credentials, private repository URLs, and developer identity within an attacker’s reach – silently exfiltrated to their server, with no credential phishing, no prior server compromise, and no user interaction beyond the developer’s normal workflow. No credential phishing, no server prior compromise, no user interaction beyond the developer’s normal workflow of asking their AI agent to investigate Sentry errors.

Why It Matters

As enterprises race to deploy AI coding agents, this research proves the agents themselves are now the attack surface – turned against the developers who trust them, using nothing but data those organizations publish about themselves. The innovation is not a novel exploit: it is how trivially and at what scale agents can be hijacked in the wild. The only place left to catch it is at the agent’s runtime.

AI Coding Agents: A Powerful Assistant with a Hidden Flaw

Modern AI coding agents like Claude Code and Cursor have evolved from simple autocomplete tools into powerful assistants that can read files, execute terminal commands, query external tools, and make code changes. Through the Model Context Protocol (MCP), these agents connect to external services – including Sentry for error monitoring – and treat the data returned as authoritative system output.

The danger lies in this implicit trust. When an AI agent queries Sentry for unresolved errors, it receives the response and acts on it – just as a developer would. But unlike a developer, the agent cannot verify whether an error event was generated by a real application crash or injected by an attacker. The agent’s trust in MCP tool responses creates a direct pathway from injected data to code execution.

The Flaw

AI coding agents cannot tell the difference between the data they read and an instruction to act. Plant a command somewhere an agent will read it – even somewhere no human would ever look for one, like an error log – and the agent may simply execute it. This is a limitation of the models themselves, not a misconfiguration that can be patched away.

The Anatomy of the Attack: From Injected Error to RCE

The attack is alarmingly simple for the attacker but devastating for the target, it begins with one crafted error event , POSTed to Sentry using a public DSN – a credential that, by design, sits in the JavaScript source of countless production websites. No breach. No stolen credentials. No exploit in the traditional sense. The attacker never touches the victim’s infrastructure.

The malicious instruction arrives disguised as a legitimate "Resolution" inside an ordinary error. When a developer asks their AI agent to fix the Sentry issue, the agent reads the attacker’s command as trusted guidance and runs it – with the developer’s own privileges, on the developer’s own machine.

Step 1 : Find the target’s Sentry DSN – a public, write-only credential that Sentry intentionally documents as safe to embed in frontend JavaScript. Discovery methods include: inspecting any website’s JavaScript source, Censys searches for...

agent sentry agents coding developer error

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.