Your AI coding assistant might be taking orders from someone else. Tenet Security disclosed a new attack vector called “Agentjacking” on June 12, one that successfully hijacked AI coding agents 85% of the time during controlled testing, all without tripping a single security alarm.

The attack targets a surprisingly mundane piece of infrastructure: Sentry Data Source Names (DSNs), the public endpoints that error-monitoring tools use to collect crash reports and telemetry data. Tenet’s researchers found that by injecting crafted fake error reports through these exposed DSNs, attackers can trick AI coding agents into executing arbitrary code on developer machines with full user privileges.

How Agentjacking actually works

Sentry DSNs are designed to be public and write-only. They’re meant to receive error reports from applications running in production. The problem starts when AI coding agents integrate with Sentry through the Model Context Protocol (MCP) and treat incoming telemetry data as trusted output. The AI agent sees what looks like a legitimate error report, assumes it came from a real application crash, and acts on the instructions embedded inside it. Those instructions can include arbitrary code that runs with whatever permissions the developer has on their machine.