Agentjacking: New attack method can hijack AI coding agents and steal sensitive data
What it really says
Security researchers at Tenet Security have uncovered a new attack class called 'Agentjacking' that can manipulate AI-powered coding assistants such as Claude Code, Cursor, and Codex. The attack exploits a vulnerability in the widely used error monitoring tool Sentry. Attackers inject malicious commands into Sentry error events that are indistinguishable from genuine remediation guidance for the AI agents. The AI assistants read these forged instructions and execute them automatically - a form of indirect prompt injection. The key to the attack is the Sentry DSN (Data Source Name), a publicly accessible credential embedded in websites. The researchers achieved an 85 percent success rate across the most popular AI coding agents and found at least 2,388 organizations with exploitable DSNs. Successful attacks can expose environment variables, Git credentials, private repository URLs, and developer identities. Tenet reported the vulnerability to Sentry on June 3, and the company acknowledged the problem but declined a fundamental fix, calling it 'technically not defensible'. Instead, only a filter for one specific payload string was added.
Our assessment
This story warrants a yellow rating because it reveals a real security risk with AI agents that does not directly affect the general public. The legitimate concern: AI coding agents that increasingly write code autonomously and access developer tools can be tricked into executing harmful commands through relatively simple manipulation. The 85 percent success rate is disturbingly high. However, the attack vector is very specific - it affects developers who use AI agents in combination with Sentry. For the broader public, the news is primarily relevant as a warning signal: the more autonomous AI systems become, the larger their attack surface grows. The fact that Sentry does not plan a fundamental fix shows that security infrastructure is not keeping pace with the rapid spread of AI agents. On the positive side, security researchers are actively seeking out and publicly disclosing these vulnerabilities.
Relevance for Germany
This news is relevant for Germany for several reasons. First, an increasing number of German companies and development teams use AI coding assistants - according to a Bitkom survey, over 40 percent of German software developers already use such tools. Second, the case shows that AI security extends beyond the EU AI Act: even when AI systems are developed in compliance with regulations, they can be compromised through external manipulation. Germany's Federal Office for Information Security (BSI) has been warning since 2025 about prompt injection attacks as one of the greatest threats in the AI space. Third, the question of liability for such attacks remains unresolved in Germany: when an AI agent exposes company data through agentjacking, who is liable - the AI tool provider, the developer, or Sentry?
Fact check
The Agentjacking vulnerability was discovered by Tenet Security and reported to Sentry on June 3, 2026. The findings were publicly disclosed in the week of June 16-20, 2026 and confirmed by several independent IT security publications including Infosecurity Magazine, The Hacker News, and Cybersecurity News. The 85 percent success rate and the figure of 2,388 affected organizations come from the Tenet Security research report. Sentry's response ('technically not defensible') was documented by Tenet and not disputed by Sentry.
Source
- • https://www.infosecurity-magazine.com/news/agentjacking-attacks-hijack-ai/
- • https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/
- • https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
- • https://cybersecuritynews.com/agentjacking-attack-hijacks-ai-coding-agent/