Agentjacking Bypasses All Security Controls in AI Coding Agents
Tenet Security disclosed a vulnerability class called agentjacking that allows attackers to inject malicious instructions into error data from services like Sentry, which AI coding agents then execute with full developer privileges. Testing achieved an 85% success rate across 100-plus targets, and 2,388 organizations were found with publicly exposed Sentry credentials vulnerable to this attack. The flaw bypasses all traditional security controls because every step in the attack chain is technically authorized.
TL;DR
- A single crafted Sentry error event can hijack Claude Code, Cursor, and Codex agents to execute attacker code with developer privileges
- Tenet achieved 85% success rate in controlled testing and identified 2,388 organizations with publicly exposed Sentry credentials
- The attack bypasses EDR, WAF, IAM, and firewalls because it uses authorized API calls and trusted data sources
- Only 34% of organizations apply the same security controls to AI agents as to humans, according to Okta/Apprize360 survey
Why It Matters
Agentjacking represents a new attack surface that existing security infrastructure cannot detect or prevent. Because AI agents execute commands as authorized users accessing trusted data sources, traditional perimeter and endpoint controls remain blind to the attack. This creates a systemic vulnerability across any organization running AI coding agents connected to monitoring and incident management platforms.
Business Impact
Organizations deploying AI coding agents face a gap between the privileges those agents hold and the security controls monitoring them. One captured Claude Code environment contained live AWS secret access keys and private repository URLs, demonstrating that agentjacking can expose production credentials and source code at scale. The Cloud Security Alliance classified this as a systemic MCP vulnerability class, signaling industry-wide risk.
Key Implications
- AI coding agents require runtime security controls distinct from traditional user and endpoint security, a gap the industry has not yet addressed
- Public DSN credentials for services like Sentry, Datadog, PagerDuty, and Jira create injection vectors that agents will trust as legitimate diagnostic output
- Organizations must audit publicly exposed credentials and restrict what data agents can execute based on, not just who can access the data
- The gap between agent deployment and security approval is widening, with agent estates doubling while monitoring barely moved according to Gravitee survey
What to Watch
Monitor for runtime security solutions designed specifically for AI agents, as CrowdStrike and others begin addressing the gap in agent-specific controls. Watch for policy changes from Sentry, Datadog, and other MCP-connected services around what data agents can access and execute. Track adoption of security controls that distinguish between developer commands and agent-initiated commands in response to external data.
Subscribe to the newsletter
The latest stories and analysis, delivered to your inbox.
Free. No spam. Unsubscribe any time.
