Cybersecurity researchers have described what they say is a new class of attacks that can trick artificial intelligence (AI) coding agents into running malicious code on developers’ machines.
It has been called Hacking agents with Tenet Security, an attack can be launched with a fake error report generated using Sentry, an open source error tracking and performance monitoring platform.
“The attack exploits a critical architectural flaw at the intersection of the Sentry event entry (which accepts arbitrary payments from anyone with a DSN) and the Sentry MCP server (which returns this data to AI agents as a trusted system exit),” security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran said.
The idea is to inject input designed into Sentry error events, which are interpreted by coding agents like Claude Code and Cursor as legitimate steps to resolve the diagnosis and execute attacker-controlled code.
A successful attack of this type can expose sensitive data, including environment variables, Git credentials, private repository URLs, and developer identities, without relying on methods such as phishing or prior server compromise.
The problem is based on the full reliability associated with connecting to external services using the Model Context Protocol (MCP). Because the AI agent cannot distinguish between an error event generated by a genuine application crash or one injected by an attacker, it creates a path to improperly executing code when the agent processes the response.
The attack chain designed by Tenet is as follows:
- An attacker obtains the sender data source name (DSN), which is a public, write-only identifier embedded in websites.
- An attacker sends a malicious error event to the Sentry endpoint via a POST request using the DSN.
- The injected event contains “well-formatted markup” in the message field and context keywords. When the Sentry MCP server returns this event to the AI agent, it is provided as structured content that looks like the Sentry system template.
- When a developer asks their AI code agent to “fix unresolved Sentry issues” (or similar information), the agent queries Sentry via MCP and receives a malicious event.
- The agent executes malicious code, running with full developer privileges.
“The attacker never touches the victim’s infrastructure,” the researchers explained. “The wrong command comes disguised as a legitimate ‘solution’ inside a common bug. When a developer asks their AI agent to fix a Sentry problem, the agent reads the attacker’s command as a trusted directory and executes it – with the developer’s own permissions, on the developer’s machine.”
Agentjacking is unique because it targets an AI agent that the developer trusts and uses the Sentry DSN as a starting point. Additionally, the marking injection is done in such a way that the agent cannot distinguish it from the official Sentry directive.
The AI cybersecurity firm said it found at least 2,388 organizations exposed to valid DSN injections, and that it tested the attack in a controlled manner on more than 100 organizations, achieving an 85% exploit success rate against flaws injected into other widely used AI code assistants.
Sentry, meanwhile, acknowledged the issue, but chose not to fix it, saying it was “technically indefensible.” However, the company is said to have activated a global content filter that blocks “certain strings from uploading.”
“As businesses rush to deploy AI agents, this study proves that the agents themselves are becoming attack sites — turning to developers they trust, using nothing but data that those organizations publish themselves,” Tenet said. “The attack bypasses EDR, WAF, IAM, VPN, Cloudflare, and firewalls – because nothing malicious can be detected. All actions in the chain are authorized.”
