Security researchers have identified a novel attack method, termed “Agentjacking,” that enables malicious actors to hijack AI coding agents by exploiting integrations with error monitoring services like Sentry. This technique allows attackers to execute arbitrary code on developers’ machines without traditional phishing or malware tactics.
The attack begins with the misuse of Sentry’s public Data Source Name (DSN), a write-only credential commonly embedded in frontend JavaScript and often indexed across the web. By leveraging passive reconnaissance methods such as JavaScript inspection and code searches, researchers identified thousands of organizations with injectable DSNs, including several high-profile entities.
With access to a DSN, an attacker can submit fabricated error events to Sentry’s ingest API, controlling various fields like messages, tags, context, and stack traces. Sentry processes these forged events as legitimate application errors, allowing attackers to inject controlled content into monitoring workflows.
The critical vulnerability lies in the integration between Sentry’s event ingestion pipeline and the Model Context Protocol (MCP), which feeds error data back to AI coding agents as trusted system output. Attackers can embed crafted Markdown into injected errors, particularly within message and context fields, to influence how content is displayed to AI agents. This content can mimic legitimate Sentry “Resolution” sections, making it indistinguishable from genuine remediation guidance.
When a developer instructs their AI agent to address unresolved Sentry issues, the agent queries Sentry via MCP, retrieves the crafted event, and interprets the attacker’s command as legitimate diagnostic steps. This leads the agent to execute commands under the developer’s full local privileges. For instance, a proof-of-concept payload directed agents to run an npx command that pulled a controlled validation package from the public npm registry, which then probed environment variables and configuration files, sending exposure metadata back to an attacker-controlled server.
In controlled campaigns, researchers confirmed over 100 instances of real-agent execution across various organizations, including Fortune 500 companies, hosting providers, and individual developers. The attacks successfully exposed sensitive information such as cloud credentials and source-control data, all while the victim remained unaware, seeing only benign diagnostics.
To mitigate such risks, organizations should implement stringent validation of error monitoring integrations, ensure that AI agents treat external data sources with caution, and establish robust monitoring to detect unauthorized code execution. As AI coding agents become more integrated into development workflows, securing these tools against novel attack vectors like Agentjacking is imperative to maintain the integrity and security of software development environments.
