**AI Coding Agents Hijacked at Scale: A New Threat Vector for Attackers**
In a disturbing demonstration of how easily attackers can exploit AI coding agents, researchers have shown that these tools can be hijacked to run arbitrary code on a developer’s machine by planting a single fake-error report in a public bug tracking service. This technique, dubbed “agentjacking,” has far-reaching implications for organizations that rely on AI coding assistants to streamline their development processes.
Tenet Security, the company behind this research, found that widely used AI coding agents such as Claude Code, Cursor, and Codex can be tricked into executing attacker-controlled code on a developer’s machine by retrieving poisoned error data from a fake error report. In a real-world attack, the consequences could include theft of sensitive credentials, manipulation of data, and compromise of development environments.
The researchers created a fake error report and submitted it to Sentry, a popular error tracking and application monitoring service used by over 200,000 organizations worldwide. By exploiting a publicly exposed Data Source Name (DSN), Tenet was able to inject the poisoned error report into a Sentry project, which then influenced an AI coding agent to run arbitrary code on the developer’s machine.
The problem lies in the inability of AI coding agents to differentiate between content and instructions. When an AI agent retrieves data from an external source, such as error logs or telemetry data, it treats everything as input, making it trivial for attackers to sneak in malicious instructions. This vulnerability is not limited to Sentry, but rather a fundamental flaw in the way many AI coding agents are designed.
“The takeaway isn’t ‘patch Sentry,'” says Barak Sternberg, CEO and co-founder of Tenet Security. “It’s that an agent can’t reliably tell data it reads from an instruction to act. And the data it reads now includes telemetry, logs, tickets, and tool output that nobody ever treated as an attack surface.”
This research has far-reaching implications for organizations that rely on AI coding assistants. The ability of attackers to hijack these tools at scale highlights a critical vulnerability in the development process, one that requires immediate attention from security teams.
To mitigate this risk, organizations should take steps to secure their AI coding agents and development environments. This includes implementing robust identity and access management controls, endpoint detection and response measures, and network controls that can detect and prevent malicious activity. Furthermore, developers should be trained to recognize the potential for agentjacking and implement additional security checks on any external data retrieved by AI coding agents.
Ultimately, this research serves as a stark reminder of the importance of prioritizing security in the development process. By acknowledging the vulnerability of AI coding agents and taking proactive steps to secure them, organizations can prevent the types of attacks that Tenet Security has demonstrated are possible with agentjacking.
Source: Dark Reading — 2026-06-30