RSS

Agentjacking: Fake error reports hijack Claude Code and Cursor into running code

nryoo1 pts1 comments

Agentjacking: a fake bug report hijacks AI coding agents

Skip to content

News

Latest

Deep tech

Sustainability

Ecosystems

Data and security

Fintech and ecommerce

Future of work

Conference media hub

More

Startups and technology

Investors and funding

Government and policy

Corporates and innovation

Podcast

Security researchers have found a way to hijack AI coding agents with nothing but a fake bug report. They call it Agentjacking. It needs no malware, no stolen password, and no breach of the target.

The attack, disclosed by Tenet Security, turns the coding agent into the weapon. When a developer asks the agent to fix an error, the agent runs the attacker’s code instead, with the developer’s own privileges, on the developer’s own machine.

How the Agentjacking attack works

It starts with Sentry, a popular error-tracking tool. Sentry lets any app send it error reports using a public key called a DSN, which sits openly in website code by design.

An attacker POSTs a fake error to that endpoint. No password is needed. The report hides a “Resolution” section with a command, formatted to look exactly like Sentry’s own advice.

TNW City Coworking space - Where your best work happens<br>A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.

Book a tour now

Coding agents read Sentry through the Model Context Protocol, the standard that lets agents pull in outside tools. The agent treats the response as trusted. It cannot tell a real crash from a planted one. So when the developer says “fix the unresolved Sentry issues,” the agent runs the attacker’s command.

The agent is the attack surface now

AI coding agents have gone from autocomplete to running terminals, and the market is booming; one vibe-coding startup recently hit $500m in revenue. That power is the problem.

The attack worked across the big agents. Tenet says it hijacked Claude Code, Cursor, and Codex, with an 85 per cent success rate in controlled tests. It found 2,388 organisations exposed, from a $250bn enterprise down to solo developers, and even a cloud-security vendor.

The payoff for an attacker is severe. One injected error can reach environment variables, AWS keys, GitHub tokens, git credentials, and private repository URLs. From there, the path runs to CI/CD pipelines and cloud infrastructure.

The scariest part is what does not catch it. The attack slips past EDR, firewalls, IAM, and VPNs, because nothing in the chain is unauthorised. Tenet calls it the “Authorised Intent Chain.” Prompts do not help either. The agents ran the code even when told to ignore untrusted data.

Nobody wants to own the fix

Tenet told Sentry on 3 June. Sentry acknowledged the problem but declined to fix it at the root, calling it “technically not defensible.” It added a filter to block one specific payload string, which treats the symptom, not the cause.

That standoff is the real story. The flaw is not in Sentry alone. It is in how agents handle any outside data, so the same risk runs through support tickets, GitHub issues, and documentation. A separate test recently phished an AI email agent into leaking AWS keys.

The lesson lands as enterprises rush to put agents into production. An agent wired into your tools is also a new way in. As Tenet puts it, the only place left to stop this is the moment the agent decides to act.

Story by

Ana Maria Constantin

With expertise in digital marketing, product management, and branding & identity, Ana Maria Constantin develops strategies that resonate

(show all)

With expertise in digital marketing, product management, and branding & identity, Ana Maria Constantin develops strategies that resonate with our target audience in the software/SaaS industry. Collaboration and teamwork are paramount to her, as she loves empowering her colleagues to achieve outstanding results and unlock their full potential.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Story by<br>Ana Maria Constantin

Popular articles

Meta is giving free AI glasses to every blind veteran in America

Mistral is in funding talks at a €20bn valuation

OpenAI acquires Ona to run Codex agents inside the customer’s own cloud

Nvidia’s Vera CPU is its side door back into China

Pleo layoffs hit engineers a day after it launched finance AI agents

We use cookies and other data for a number of reasons, such as keeping TNW sites reliable and secure, personalizing content and ads, providing social media features and to analyze how our sites are used.","linkColor":"6644ff","linkHoverColor":"7755ff","primaryBtnText":"Accept & continue","primaryBtnBgColor":"","primaryBtnBgHoverColor":"","primaryBtnColor":"","primaryBtnHoverColor":"","secondaryBtnText":"Manage...

agents agent sentry error code coding

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.