**Fake Bug Report Hijacks AI Coding Agents at Scale**
In a disturbing demonstration of just how vulnerable AI coding agents have become to exploitation, researchers at Tenet Security have revealed that attackers can hijack these tools by planting fake error reports in public bug tracking services. This “agentjacking” technique has the potential to compromise not only sensitive data but also entire development environments.
The alarming reality is that a single fake-error report can be used to trick AI coding assistants into running arbitrary code on a developer’s machine, with far-reaching consequences. In controlled testing, Tenet Security found that widely used AI coding agents such as Claude Code, Cursor, and Codex were susceptible to this type of attack. These tools are designed to help developers identify and fix bugs in their code, but they lack the ability to discern between content and instructions.
The researchers’ demonstration centered on Sentry, a popular error tracking and application monitoring service used by over 200,000 organizations worldwide, including major companies like GitHub and Disney. Tenet Security created a fake error report and submitted it to a Sentry project using a publicly exposed Data Source Name (DSN), which allowed the AI coding agents to retrieve the poisoned data and execute attacker-controlled code on the developer’s machine.
The potential damage from such an attack is staggering, with compromised credentials potentially enabling adversaries to access private source code repositories, cloud infrastructure, or even poison software dependencies across entire organizations. The researchers’ findings are all the more concerning given that many organizations expose their Sentry DSNs to allow client-side applications to report errors directly to Sentry.
The root of the problem lies in the inability of AI coding agents to distinguish between content and instructions. When these tools retrieve data from external sources, such as error logs or emails, they treat everything as input, making it trivial for attackers to sneak in malicious instructions. This lack of discernment is a critical vulnerability that must be addressed.
“The takeaway isn’t ‘patch Sentry,'” says Barak Sternberg, CEO and co-founder of Tenet Security. “It’s that an agent can’t reliably tell data it reads from an instruction to act. And the data it reads now includes telemetry, logs, tickets, and tool output that nobody ever treated as an attack surface.”
In practical terms, this means that organizations must take immediate action to protect their development environments from such attacks. This involves not only implementing robust security controls but also educating developers about the potential risks associated with AI coding agents. By acknowledging the limitations of these tools and taking steps to mitigate their vulnerabilities, we can prevent the kind of catastrophic breaches that agentjacking has the potential to unleash.
As a starting point, organizations should review their exposure of Sentry DSNs and take steps to limit access to these services. Developers should also be aware of the risks associated with using AI coding agents and take necessary precautions to prevent unauthorized code execution. By taking proactive measures, we can ensure that AI coding agents are used safely and securely, without putting entire organizations at risk.
Source: Dark Reading — 2026-06-30