If your team is using AI coding agents, this is worth reading before your next sprint.

Security researchers at Tenet Threat Labs disclosed a new class of attack in June 2026 they call “agentjacking.” The technique hijacks Claude Code, Cursor, OpenAI Codex, and other AI coding agents into running attacker-controlled commands on developer machines, with no phishing required, no malware to install, and no security tool that can catch it.

The attack has already been confirmed against 2,388 organisations, from Fortune 100 companies down to solo developers, with an 85% success rate across the agents tested.

How It Works

The attack chain starts with Sentry, the popular error-tracking and application monitoring tool used by hundreds of thousands of development teams. Sentry lets any application send it error reports using a public key called a Data Source Name, or DSN, which sits openly in website JavaScript by design. That openness is the vulnerability.

An attacker who finds your Sentry DSN, which is freely available in your public frontend code, can craft a malicious error event and push it into your Sentry workspace. The payload looks exactly like a legitimate error report with diagnostic guidance. When your AI coding agent reads it through the Sentry MCP server as part of debugging or investigation, it interprets the attacker’s instructions as trusted system output and executes them.

That single action can steal CI/CD pipeline credentials, access private source code repositories, compromise cloud infrastructure, and establish persistent backdoor access. Nothing in the chain is technically unauthorised. The agent is doing exactly what it was asked to do, because it cannot tell the difference between real Sentry guidance and an attacker’s payload.

Why This Is Harder to Defend Than It Looks

The research team tested the attack against Claude Code, Cursor, and OpenAI Codex. All three were vulnerable. The 85% success rate held across agents, which means this is not a quirk of one tool’s prompting, it is a structural problem at the intersection of how Sentry ingests data and how AI agents consume it.

Sentry was notified on June 3, 2026. Their leadership responded the same day, acknowledged the issue, and declined to fix it at the root, describing it as “technically not defensible” because the DSN is intentionally public. The recommendation from Sentry was that model vendors should run middleware against these attacks.

No firewall catches this. No EDR catches it. IAM controls and VPNs are not relevant. The attack bypasses everything because it uses fully authorised channels.

What Businesses Running AI Agents Should Do Now

Tenet open-sourced a tool called “agent-jackstop,” a set of drop-in configuration files that harden Claude Code and Cursor against this attack class by reducing how much agents trust log and telemetry data during autonomous operation.

Beyond that specific tool, there are broader practices worth implementing:

Limit agent autonomy over external tool output. AI coding agents should not execute commands sourced from external monitoring systems without a human confirmation step. That is true for Sentry, log aggregators, and any tool where external parties can write to your data stream.

Audit your Sentry DSN exposure. If your DSN appears in public JavaScript, it is exposed. This is expected by design, but you should now treat it as a potential attack surface for any AI tooling that reads from your Sentry workspace.

Treat agentic sessions as a privilege. The same least-privilege approach you apply to CI/CD pipelines applies to AI agents. An agent running with broad repo access, cloud credentials, and external tool integrations is a significant attack surface.

Keep humans in the loop on anomalous errors. If an AI agent surfaces an error event with an unusual remediation suggestion, especially one involving command execution or credential access, that warrants human review before the agent acts.

What This Means for Business

Agentjacking is the kind of vulnerability that tends to be underestimated because it does not look dramatic. There is no exploit code, no obvious intrusion, and no alert. An AI agent simply does what it was told to do, by someone who was not supposed to be doing the telling.

For businesses adopting AI coding agents at scale, this signals that agent security is not an afterthought. The same rigour you apply to access controls and code review needs to extend to the inputs your agents consume and act on. That includes error trackers, log files, third-party APIs, and any channel where unverified data can reach an agent that has permission to act.

The AI coding agent market is still maturing, and the trust assumptions baked into early integrations were not designed with adversarial inputs in mind. Agentjacking is a reminder that as these tools gain more access and autonomy, their attack surface grows with them.

The good news is that the defences are practical. You do not need to stop using AI coding agents to protect against this. You need to rethink what they should and should not be allowed to act on without a human in the loop.