Agentjacking Attacks

Cybersecurity researchers have uncovered a new attack technique known as Agentjacking, a method capable of manipulating artificial intelligence coding assistants into executing attacker-controlled code on developer systems.

The attack leverages a fake error report generated through Sentry, the widely used open-source error tracking and performance monitoring platform. According to the researchers, the vulnerability stems from a fundamental architectural weakness involving Sentry's event ingestion mechanism and its integration with AI systems through the Model Context Protocol (MCP).

Because Sentry accepts arbitrary event payloads from anyone possessing a valid Data Source Name (DSN), attackers can inject malicious content into error reports. When these reports are later retrieved by AI coding assistants such as Claude Code or Cursor through the Sentry MCP server, the injected content may be interpreted as legitimate troubleshooting guidance.

The Architectural Flaw Behind the Attack

At the core of Agentjacking is a trust problem created by MCP-connected external services. The Sentry MCP server returns event data to AI agents as trusted output, even when the data originates from unverified sources.

As a result, AI coding agents cannot reliably determine whether an error event was generated by a genuine application failure or deliberately injected by a threat actor. This inability to distinguish trusted content from malicious input creates a pathway to arbitrary code execution whenever the agent processes and follows the provided instructions.

A successful compromise can expose highly sensitive information, including environment variables, Git credentials, private repository URLs, and developer identity data. Notably, the attack does not require phishing campaigns, malware deployment, or prior compromise of the target infrastructure.

How the Agentjacking Attack Chain Works

The attack unfolds through a series of carefully orchestrated stages:

• A threat actor identifies a target organization's Sentry DSN, a public write-only credential commonly embedded within websites.
• Using the exposed DSN, a malicious error event is submitted to Sentry's ingestion endpoint through a POST request.
• The injected event contains specially crafted markdown content embedded within message fields and context key names.
• When the Sentry MCP server retrieves the event, the malicious content is rendered as structured information that visually resembles legitimate Sentry-generated guidance.
• A developer subsequently instructs an AI coding assistant to investigate or resolve unresolved Sentry issues.
• The AI agent queries Sentry through MCP and receives the attacker-controlled event.
• The malicious instructions are treated as trusted remediation steps, leading the AI agent to execute attacker-supplied code with the developer's privileges.

Why the Attack Is So Effective

One of the most concerning aspects of Agentjacking is that attackers never directly interact with the victim's infrastructure. Instead, malicious instructions are concealed within what appears to be a normal error report.

When developers request assistance from their AI coding agents, the manipulated error message is interpreted as a legitimate resolution recommendation. The AI agent then executes the instructions on the developer's machine using the developer's own permissions.

Agentjacking is particularly dangerous because it targets the trusted relationship between developers and AI assistants. The markdown injection technique is designed so convincingly that the AI agent cannot differentiate the malicious content from authentic Sentry-generated guidance.

Widespread Exposure and Vendor Response

Researchers reportedly identified at least 2,388 organizations with valid and injectable Sentry DSNs, highlighting the potential scale of the issue.

Sentry has acknowledged the findings but reportedly concluded that a complete technical fix is not feasible. Instead, the company has implemented a global content-filtering mechanism intended to block a specific known payload pattern associated with the attack.

AI Agents Become the New Attack Surface

The emergence of Agentjacking demonstrates how AI coding assistants are rapidly becoming a new and attractive attack surface. Rather than targeting traditional security controls, adversaries can exploit trusted data flows that organizations openly expose.

The attack is capable of bypassing many conventional security technologies, including endpoint detection and response (EDR) solutions, web application firewalls (WAFs), identity and access management (IAM) systems, VPNs, Cloudflare protections, and traditional firewalls. Because every action performed during the attack chain appears authorized and legitimate, there may be no obvious malicious activity for security tools to detect.

As organizations accelerate the adoption of AI-assisted software development, Agentjacking serves as a powerful reminder that the trust placed in AI agents can itself become a security vulnerability when external data sources are treated as inherently trustworthy.