Agentjacking: New Attack Class Compromises AI Coding Agents with 85% Success Rate Across 2,388 Organizations
Published · curated by AI Is Going Just Great
Source: promptailearning.com ↗
The attack achieved an 85 percent exploitation rate... the malicious command was executed without the human developer being aware anything had happened.
Researchers disclosed a new attack class in June 2026 dubbed "Agentjacking," targeting AI coding agents like Claude Code, Cursor, and OpenAI Codex. The mechanic is grimly elegant: attackers craft fake Sentry error reports embedded with markdown injection that coding agents interpret as legitimate debugging instructions and dutifully execute. Since agents have been trained to trust structured input from familiar developer tooling sources, they don't distinguish a real error report from a poisoned one.
The attack achieved an 85% exploitation rate in testing and has reportedly hit 2,388 organizations — likely an undercount, since most victims wouldn't know to look for this specific pattern. As of disclosure, Anthropic, OpenAI, and Cursor had not published formal advisories. The fix, for now, falls entirely on teams: manually review external monitoring data before feeding it to an agent's context window, and audit any integrations that automatically ingest platform output. The researchers put it plainly: don't wait for an official patch.