How does the Agentjacking attack work?

Attackers send crafted error events to Sentry using publicly accessible DSNs, embedding commands that AI coding agents interpret and execute as legitimate diagnostic steps, resulting in unauthorized code execution.

What measures can organizations take to prevent Agentjacking attacks?

Organizations should implement robust security protocols, limit AI agents' access to sensitive systems, regularly audit and monitor AI agent activities, and establish governance frameworks to manage AI agent deployment and operation.

Agentjacking: Exploiting AI Coding Agents via Sentry Vulnerability

Discover how the Agentjacking attack exposes vulnerabilities in AI coding agents through manipulated Sentry error reports, leading to unauthorized code execution.

Published: June 12, 2026

Share this on:

Executive Summary

In June 2026, Tenet Security identified a novel attack method termed 'Agentjacking,' which exploits AI coding agents by injecting malicious code through manipulated error reports in Sentry, an open-source error-tracking platform. Attackers can send crafted error events to Sentry using publicly accessible Data Source Names (DSNs), embedding commands that AI agents interpret and execute as legitimate diagnostic steps. This technique allows unauthorized code execution on developer machines, potentially exposing sensitive data such as environment variables, Git credentials, and private repository URLs.

The Agentjacking attack underscores the growing security risks associated with integrating AI coding agents into development workflows. As these agents gain broader access to codebases and tools, they become attractive targets for exploitation. This incident highlights the urgent need for robust security measures and governance frameworks to manage the deployment and operation of AI agents, ensuring they do not inadvertently become vectors for cyberattacks.

Why This Matters Now

The rapid adoption of AI coding agents in software development has introduced new attack vectors, as demonstrated by the Agentjacking incident. Organizations must prioritize securing these agents to prevent unauthorized code execution and data breaches, emphasizing the importance of implementing comprehensive security protocols and continuous monitoring to safeguard development environments.

Attack Path Analysis

An attacker exploits the public Sentry DSN to inject a malicious error report. The AI coding agent retrieves this report and executes the embedded malicious code, leading to unauthorized code execution on the developer's machine. This grants the attacker access to sensitive data and potentially allows further exploitation within the developer's environment.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

High

Impact

Mediuminferred

Initial Compromise

Description

The attacker identifies and utilizes the public Sentry DSN to submit a crafted error report containing malicious code.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1195.002

Supply Chain Compromise: Compromise Software Supply Chain

Execution

T1203

Exploitation for Client Execution

Execution

T1059.007

Command and Scripting Interpreter: JavaScript

Persistence

T1078

Valid Accounts

Defense Evasion

T1562.001

Impair Defenses: Disable or Modify Tools

Defense Evasion

T1027

Obfuscated Files or Information

Discovery

T1083

File and Directory Discovery

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Change Control Processes

Control ID: 6.4.1

The attack exploited weaknesses in the software supply chain, indicating inadequate change control processes.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the organization's cybersecurity policy regarding third-party software and error reporting tools.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights the need for a robust ICT risk management framework to address supply chain vulnerabilities.

CISA ZTMM 2.0 – Asset Management

Control ID: 3.1

The attack underscores the importance of comprehensive asset management to monitor and control third-party software integrations.

NIS2 Directive – Supply Chain Security

Control ID: Article 21

The incident reveals gaps in supply chain security measures, necessitating enhanced oversight of third-party components.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Agentjacking attacks directly target AI coding agents used in software development, enabling supply chain compromise through malicious code injection via fake error reports.

Information Technology/IT

IT organizations face significant risk as AI development tools become attack vectors, requiring enhanced security fabric and anomaly detection for developer environments.

Financial Services

Financial sector's heavy reliance on AI coding agents for application development creates critical supply chain vulnerabilities requiring zero trust segmentation and egress controls.

Health Care / Life Sciences

Healthcare organizations using AI development tools face HIPAA compliance risks from compromised coding agents potentially exposing patient data through supply chain attacks.

Sources

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Codehttps://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
Verified

Agentjacking: a fake bug report can hijack your AI coding agenthttps://thenextweb.com/news/agentjacking-ai-coding-agents-sentry

Verified

New 'Agentjacking' Attacks Could Hijack AI Coding Agentshttps://www.infosecurity-magazine.com/news/agentjacking-attacks-hijack-ai/

Verified

Frequently Asked Questions

Agentjacking is an attack method identified by Tenet Security in June 2026, where attackers inject malicious code into AI coding agents by manipulating error reports in Sentry, leading to unauthorized code execution on developer machines.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the public Sentry DSN may be constrained by enforcing strict identity-based access controls, reducing unauthorized code execution risks.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The execution of malicious code with elevated privileges could be limited by enforcing strict segmentation, reducing the scope of potential damage.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network could be constrained by monitoring and controlling east-west traffic, reducing unauthorized access.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of command and control channels may be limited by providing comprehensive visibility and control over network traffic, reducing unauthorized communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The exfiltration of sensitive data may be constrained by enforcing strict egress policies, reducing unauthorized data transfers.

Impact (Mitigations)

The potential for disrupting development processes or deploying additional malicious payloads could be limited by reducing the attacker's ability to move laterally and exfiltrate data.

Impact at a Glance

Affected Business Functions

Software Development
Code Deployment
Version Control
Continuous Integration/Continuous Deployment (CI/CD)

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of environment variables, Git credentials, private repository URLs, and developer identities.

Recommended Actions

• Implement Zero Trust Segmentation to restrict AI coding agents' access to external error reporting services.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual agent behaviors.
• Apply Inline IPS (Suricata) to inspect and block malicious payloads in error reports.
• Utilize Multicloud Visibility & Control to monitor and manage agent interactions across cloud environments.
• Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration by compromised agents.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Agentjacking: Exploiting AI Coding Agents via Sentry Vulnerability

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Supply Chain Compromise: Compromise Software Supply Chain

Exploitation for Client Execution

Command and Scripting Interpreter: JavaScript

Valid Accounts

Impair Defenses: Disable or Modify Tools

Obfuscated Files or Information

File and Directory Discovery

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Change Control Processes

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset Management

NIS2 Directive – Supply Chain Security

Sector Implications

Computer Software/Engineering

Information Technology/IT

Financial Services

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads