Cybersecurity researchers have identified a novel attack method, termed ‘Agentjacking,’ that manipulates artificial intelligence (AI) coding assistants into executing unauthorized code on developers’ systems. This technique leverages the Sentry error-tracking platform to inject malicious instructions, which AI agents then interpret and run as legitimate commands.
The attack exploits a critical flaw in the interaction between Sentry’s event ingestion system and its Model Context Protocol (MCP) server. By sending specially crafted error events to Sentry using a target’s Data Source Name (DSN), attackers can embed malicious code within the error messages. When an AI coding assistant retrieves and processes these error reports, it inadvertently executes the embedded code, granting attackers access to sensitive information such as environment variables, Git credentials, and private repository URLs.
Tenet Security, the firm behind the discovery, outlined the attack sequence as follows:
- Identify a target’s Sentry DSN, a public credential embedded in websites.
- Send a malicious error event to Sentry’s ingest endpoint using the DSN.
- Craft the error event with formatted markdown in the message field and context key names to mimic legitimate Sentry templates.
- When a developer prompts their AI coding assistant to resolve Sentry issues, the assistant queries Sentry via MCP and retrieves the malicious event.
- The AI assistant executes the malicious code, operating with the developer’s full system privileges.
This method is particularly insidious because it doesn’t require direct access to the victim’s infrastructure. Instead, it manipulates the trusted relationship between developers and their AI assistants, using Sentry’s DSN as the entry point. The malicious instructions are disguised within error messages, making them indistinguishable from legitimate guidance provided by Sentry.
Tenet Security’s research revealed that at least 2,388 organizations have exposed DSNs susceptible to this attack. In controlled tests involving over 100 organizations, the attack achieved an 85% success rate in exploiting AI coding assistants through injected errors.
Sentry has acknowledged the vulnerability but stated that a comprehensive fix is ‘technically not defensible.’ However, the company has implemented a global content filter to block specific payload strings associated with the attack.
As AI coding assistants become increasingly integrated into development workflows, this discovery underscores the need for heightened vigilance. Developers and organizations must scrutinize the security of their AI tools and the external services they interact with. Ensuring that AI agents can distinguish between legitimate and malicious inputs is crucial to maintaining the integrity of development environments.
