Sunday, July 5, 2026

News

Fake Bug Report Can Hijack AI Coding Agents

CodingPatryk RabaJuly 3, 2026

Researchers at Tenet Security showed that a single crafted bug report in Sentry is enough to hijack Claude Code, Cursor and Codex and run arbitrary code on a developer's machine. The attack, dubbed agentjacking, affected more than 2,300 organizations.

Contents
  1. How the attack works
  2. Scale of the problem
  3. Sentry and industry response
  4. What it means for developers

A single crafted bug report is enough to make an AI coding agent start executing an attacker's commands instead of the developer's. Researchers at Tenet Security described a technique they call agentjacking and showed that it works against three of the most popular coding assistants at once.

How the attack works

The whole mechanism relies on Sentry, a popular application error-monitoring tool connected to coding agents through the Model Context Protocol. An attacker who has a project's public DSN key sends Sentry a fake bug report that hides a command inside the suggested-fix section. When a developer asks their AI agent to fix outstanding bugs in Sentry, the agent reads that report as trusted data and executes the hidden command with the developer's full permissions.

The problem lies in the very nature of agents: they cannot tell the data they read apart from the instructions they are supposed to execute. Telemetry, bug reports, logs and tool output, things nobody previously treated as an attack surface, have become a channel for injecting commands.

Scale of the problem

In controlled tests, the researchers hijacked Claude Code, Cursor and Codex this way with an 85 percent success rate. They identified 2,388 organizations exposed to the attack, ranging from a company worth $250 billion to individual freelance developers, including even a cloud security vendor. Because the agent runs with the logged-in developer's permissions, every step of the attack is formally authorized, so IAM systems, EDR tools and network monitoring have nothing to flag as suspicious.

Among the data an attacker could steal, the researchers list environment variables, AWS access keys, GitHub tokens, git credentials, SSH keys and secrets used in CI/CD pipelines. In a real attack that would mean taking over a project's entire infrastructure, not just a single repository.

Sentry and industry response

Sentry confirmed the report and rolled out a global content filter blocking the specific string used in the researchers' demonstration attack. The company acknowledged, however, that the vulnerability at the data-ingestion level is, as it put it, technically indefensible, since Sentry cannot distinguish a malicious payload from a legitimate bug report that contains code snippets and fix suggestions.

Tenet Security, a startup focused on AI agent security, only recently came out of stealth mode, and agentjacking is its first high-profile disclosure. In practice, the same risk applies to virtually any integration of a coding agent with an external data source through the Model Context Protocol, not just Sentry, connections to Datadog or PagerDuty could be similarly exposed.

What it means for developers

For development teams in Poland, who are increasingly connecting Claude Code, Cursor or Codex to their error-monitoring systems, the takeaway is concrete: every data source an agent reads has to be treated as untrusted, even if it comes from an internal company tool. Limiting the agent's permissions, reviewing what it is actually allowed to execute without human confirmation, and rotating Sentry DSN keys are the simplest steps that can be implemented right away.

The case also points to a broader problem in the AI agent industry: the pace of adoption has outrun the development of security standards for this kind of integration. More disclosures like this one are almost certain until tools such as Sentry, Datadog or ticketing systems start distinguishing on their own between content meant for an agent to read and content that is allowed to give it orders.

Sources: The Next Web (thenextweb.com), The New Stack (thenewstack.io).

Share: