Full Report
Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines. Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report crafted using Sentry, an open-source error-tracking and performance-monitoring platform. "The attack
Analysis Summary
# Tool/Technique: Agentjacking
## Overview
Agentjacking is an indirect prompt injection and supply chain attack technique targeting AI coding agents. By exploiting the deep integration between error-monitoring platforms (like Sentry) and AI coding assistants via the Model Context Protocol (MCP), attackers can trick AI agents into executing arbitrary code on a developer’s workstation. The attack relies on the implicit trust the AI agent places in data returned by third-party diagnostic tools.
## Technical Details
- **Type**: Technique (Indirect Prompt Injection / AI Supply Chain Attack)
- **Platform**: Developer workstations (macOS, Windows, Linux) running AI coding assistants (e.g., Cursor, Claude Code) integrated with Sentry.
- **Capabilities**: Remote Code Execution (RCE), Data Exfiltration, Credential Theft.
- **First Seen**: June 2026 (Reported by Tenet Security)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1195 - Supply Chain Compromise]**: Manipulating external data sources (Sentry events) used by development tools.
- **[TA0002 - Execution]**
- **[T1204.003 - User Execution: Malicious Prompt]**: Tricking a user into asking an AI agent to "fix" a malicious error.
- **[T1059 - Command and Scripting Interpreter]**: AI agent executes shell commands or scripts on the host.
- **[TA0007 - Discovery]**
- **[T1082 - System Information Discovery]**
- **[TA0011 - Command and Control]**
- **[T1071.001 - Application Layer Protocol: Web Protocols]**: Exfiltration via HTTP/S.
## Functionality
### Core Capabilities
- **DSN Exploitation**: Utilizes publicly accessible Sentry Data Source Names (DSNs) to send unauthorized POST requests containing malicious payloads to Sentry’s ingestion endpoints.
- **Markdown Injection**: Employs "carefully formatted markdown" within Sentry error fields. When the AI agent queries the Sentry MCP server, it parses this markdown as trusted system instructions rather than raw data.
- **Arbitrary Code Execution**: Commands disguised as "Resolution Steps" or "Fixes" are executed by the AI agent with the same host-level privileges as the developer.
### Advanced Features
- **Security Tool Bypass**: Since the traffic originates from a legitimate Sentry domain and the execution is performed by an authorized AI agent, the attack typically bypasses EDR, WAF, and traditional network firewalls.
- **Context Awareness**: The attack leverages the AI's goal-oriented nature; it triggers specifically when a developer seeks diagnostic help, making it appear as a legitimate part of the debugging workflow.
## Indicators of Compromise
- **File Hashes**: N/A (Technique-based; payloads vary).
- **Network Indicators**:
- Unusual POST requests to `sentry[.]io` or organization-specific Sentry endpoints containing markdown/shell commands.
- Outbound connections from AI agent processes (e.g., Cursor, Claude) to unknown external domains for exfiltration.
- **Behavioral Indicators**:
- AI coding agents spawning abnormal child processes (e.g., `curl`, `env`, `ssh-add -L`).
- Sudden modification of `.env` files or SSH keys by an IDE-related process.
## Associated Threat Actors
- No specific groups identified yet; research conducted and disclosed by **Tenet Security**.
## Detection Methods
- **Behavioral Detection**: Monitor for unusual sub-processes spawned by AI IDEs or MCP servers. Specifically, look for CLI-based exfiltration commands.
- **Log Analysis**: Audit Sentry logs for error events originating from unexpected IP addresses or containing suspicious CLI-like syntax in the "Message" or "Context" fields.
- **Content Filtering**: Organizations can implement global filters to scan for specific strings or "instruction-like" patterns in incoming error reports.
## Mitigation Strategies
- **DSN Protection**: Treat Sentry DSNs with higher sensitivity, even though they are technically public; rotate them if they are suspected of being scraped.
- **Human-in-the-Loop**: Disable "auto-execute" features in AI agents. Developers must manually review every command the agent proposes before it runs.
- **Principle of Least Privilege**: Run AI coding agents in sandboxed environments or containers with restricted access to the host file system and environment variables.
- **Egress Filtering**: Restrict the ability of development tools to communicate with non-essential external domains.
## Related Tools/Techniques
- **Model Context Protocol (MCP)**: The protocol enabling the vulnerability.
- **Prompt Injection**: The underlying concept of manipulating LLM output.
- **Indirect Prompt Injection**: Using third-party data sources to influence LLM behavior.
- **Sentry**: The monitoring platform utilized as the delivery vector.