Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Tenet Security researchers have disclosed Agentjacking, a novel attack class that manipulates AI coding agents into executing arbitrary code on developer machines. The attack exploits how modern AI tools integrate with development workflows.

The attack vector relies on Sentry, a widely deployed error-tracking and performance-monitoring platform. Attackers craft malicious error reports within Sentry that appear legitimate to AI coding agents. When autonomous AI agents ingest these reports and attempt to resolve flagged issues, they execute the embedded malicious code without validation.

AI coding agents like GitHub Copilot, Amazon CodeWhisperer, and similar autonomous development tools increasingly operate within integrated toolchains. These agents pull context from multiple sources including error logs, repository data, and monitoring platforms. Agentjacking exploits this interconnection by poisoning the data streams these agents consume.

The threat targets developers directly. Compromised developer machines grant attackers access to source code repositories, credentials stored in local environments, and SSH keys. An attacker executing code through a poisoned error report gains the same privileges as the developer running the agent.

Organizations using Sentry alongside autonomous coding agents face elevated risk. The attack requires no credential compromise and works against default configurations. Developers may not recognize malicious code execution occurring through their AI tooling, as the agent presents it as a legitimate error resolution.

Remediation involves several approaches. Development teams should implement strict code review processes before accepting agent-generated solutions, particularly when agents pull context from multiple external sources. Sentry instances require access controls limiting which error reports agents can consume. Organizations should validate error tracking data integrity and monitor unusual error patterns that could indicate poisoned reports.

The Agentjacking disclosure highlights a broader security challenge as AI agents become embedded in developer workflows. These tools expand attack surface by connecting previously isolated systems. Security teams must treat agent integrations as trust boundaries requiring explicit validation rather