News
Fake Bug Report Hijacks AI Coding Agents in Agentjacking Attack

Researchers at Tenet Security showed how a single crafted bug report in Sentry can force Claude Code, Cursor, and OpenAI Codex to execute malicious code on a developer's machine. More than 2,300 organizations worldwide were found vulnerable.
Contents
The Tenet Security research team showed that a single crafted bug report submitted to the popular monitoring platform Sentry is enough to hijack AI coding agents and run arbitrary malicious code on a developer's machine. The attack, dubbed Agentjacking, worked in tests against Claude Code, Cursor, and OpenAI Codex, and researchers found more than 2,300 organizations worldwide with vulnerable access keys.
Sentry is one of the most popular application error-monitoring platforms, used by more than 200,000 organizations, including GitHub, Disney, Atlassian, and even Anthropic itself. The problem starts with what's known as a public DSN key, an identifier developers often leave directly in a site's frontend code, since it's meant solely to send error reports.
How Agentjacking Works
An attacker finds the target's public DSN key, then submits a crafted bug report to Sentry containing a malicious, markdown-formatted section with a fake suggested fix. When a developer later asks their AI agent to fix the reported bug, the MCP tool integrating the agent with Sentry pulls the full contents of the report and treats it as a trusted system instruction rather than data to be analyzed.
As a result, the agent executes the attacker's command with the developer's full privileges, installing an attacker-controlled npm package, running arbitrary shell commands, or reading local files. Because every step looks like an authorized user action, identity and access control systems and workstation threat-detection tools have nothing to flag.
Scale of the Problem
In controlled tests, researchers confirmed that more than 100 different agents executed the injected code, including Claude Code, Cursor, OpenAI Codex, agents running in CI/CD pipelines, and VS Code extensions. Among the 2,388 organizations identified with vulnerable DSN keys was a Fortune 100 company valued at roughly $250 billion, with victims spread across more than 30 countries, from corporations to independent developers.
The consequences of a successful attack included access to environment variables, AWS keys, GitHub tokens, SSH login credentials, and private repository addresses, all without phishing, server break-ins, or any user interaction beyond normal work with a coding agent.
Your telemetry has now become a remote code execution vector - Tenet Security researchers
Sentry's and the Industry's Response
Sentry confirmed the issue as early as June 3, 2026, but declined to fix it at the source, calling it technically indefensible. The company limited its response to deploying a content filter that catches specific, already-known malicious payload patterns, which does nothing to stop new variants of the attack.
Tenet released a free tool called agent-jackstop, ready-made configurations that harden Cursor and Claude Code against this class of attack. It's the second high-profile trust-boundary vulnerability in AI coding assistants in recent weeks, following the previously reported GhostApproval flaw, suggesting that agents' failure to distinguish data from instructions is a systemic problem rather than a bug in any single tool.
What It Means for Developers in Poland
For Polish development teams using Claude Code, Cursor, or Codex in daily work, Agentjacking is a signal to treat MCP integrations with external services, not just Sentry but any tool an agent queries for data, as a potential attack vector. A public DSN key in frontend code, standard practice for years, suddenly becomes a gateway to remote code execution on a developer's machine.
Recommended steps include limiting the privileges coding agents run with when working with external data sources, manually verifying fix suggestions pulled from automatically fetched bug reports, and considering DSN key rotation along with additional filters on one's own infrastructure, since Sentry has no plans for a systemic fix.
The case comes as more companies, including some Chinese tech giants, restrict AI agents' access to sensitive systems over fears of similar attacks. Expect other telemetry and monitoring platforms to have to rethink how they tag data coming from external users before it reaches an AI agent's context.
Sources: Agentjacking - coding agents with fake Sentry errors (tenetsecurity.ai), Fake Bug Report Hijacks AI Coding Agents at Scale (darkreading.com).


