Researchers Hijack AI Coding Agents via Forged Sentry Error Events with 85% Success Rate
Published · updated · curated by AI Is Going Just Great
Source: cloudradix.com ↗
"The attacker never touches the victim's infrastructure. The malicious instruction arrives disguised as a legitimate 'Resolution' inside an ordinary error."
Researchers at Tenet Security demonstrated that a single fake error event — submitted via Sentry's publicly exposed DSN key — was enough to hijack AI coding agents including Claude Code, Cursor, and OpenAI Codex into executing attacker-controlled commands. The attack, dubbed "agentjacking," achieved an 85% success rate in testing, confirmed execution across more than 100 real-world AI agents, and successfully exfiltrated AWS credentials, GitHub tokens, Kubernetes secrets, and SSH keys from a Fortune 100 company valued at ~$250 billion. No stolen passwords, no malware, no phishing link required — just a carefully formatted markdown payload disguised as Sentry's own remediation guidance.
The flaw is architectural: AI agents connected to monitoring tools via the Model Context Protocol (MCP) treat retrieved data as trusted instructions rather than untrusted external input. Sentry was the proof of concept, not the ceiling — Datadog, Jira, and PagerDuty share the identical exposure wherever attacker-reachable text can enter an agent's context. Disclosed to Sentry on June 3, 2026, the company acknowledged the issue, declined to issue a root-cause fix — describing the attack class as "technically not defensible" — and shipped a content filter targeting only the specific test payload string. The structural problem remains open.