New "Agentjacking" Attack Exploits AI Coding Agents to Execute Malicious Code
A novel cyberattack dubbed "Agentjacking" has emerged, allowing threat actors to hijack AI-powered coding assistants such as Claude Code and Cursor and silently execute attacker-controlled code on developers' machines. The attack requires no phishing, malware delivery, or infrastructure breach, relying instead on a single injected Sentry error to compromise systems.
The exploit leverages Sentry’s public Data Source Name (DSN), a write-only credential commonly embedded in frontend JavaScript and indexed across the web. By manipulating this credential, attackers can turn trusted AI agents into an execution layer for malicious commands, bypassing traditional security measures.
The attack highlights critical risks in autonomous AI tools operating with full user privileges outside sandboxed environments. While the technique does not require direct access to a victim’s infrastructure, it underscores vulnerabilities in how AI assistants interact with external error-tracking systems.
Security researchers warn that this method could enable unauthorized code execution at scale, posing significant threats to developers and organizations relying on AI-driven workflows. The incident raises concerns about the security posture of AI integrations in software development pipelines.
Source: https://www.linkedin.com/feed/update/urn:li:activity:7471608017684299776
Cursor TPRM report: https://www.rankiteo.com/company/anysphereinc
Claude Code TPRM report: https://www.rankiteo.com/company/anthropicresearch
"id": "anyant1781375050",
"linkid": "anysphereinc, anthropicresearch",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software Development',
'type': 'Developers and organizations'}],
'attack_vector': 'Sentry DSN manipulation',
'description': "A novel cyberattack dubbed 'Agentjacking' has emerged, "
'allowing threat actors to hijack AI-powered coding assistants '
'such as Claude Code and Cursor and silently execute '
"attacker-controlled code on developers' machines. The attack "
'requires no phishing, malware delivery, or infrastructure '
'breach, relying instead on a single injected Sentry error to '
'compromise systems. The exploit leverages Sentry’s public '
'Data Source Name (DSN), a write-only credential commonly '
'embedded in frontend JavaScript and indexed across the web. '
'By manipulating this credential, attackers can turn trusted '
'AI agents into an execution layer for malicious commands, '
'bypassing traditional security measures. The attack '
'highlights critical risks in autonomous AI tools operating '
'with full user privileges outside sandboxed environments.',
'impact': {'operational_impact': "Unauthorized code execution on developers' "
'systems',
'systems_affected': "Developers' machines running AI coding "
'assistants (Claude Code, Cursor)'},
'initial_access_broker': {'entry_point': 'Sentry DSN manipulation'},
'lessons_learned': 'The incident raises concerns about the security posture '
'of AI integrations in software development pipelines and '
'the risks of autonomous AI tools operating with full user '
'privileges outside sandboxed environments.',
'post_incident_analysis': {'root_causes': 'Exploitation of publicly exposed '
'Sentry DSN credentials and lack of '
'sandboxing for AI coding '
'assistants'},
'references': [{'source': 'Security Research'}],
'title': 'Agentjacking Attack Exploits AI Coding Agents to Execute Malicious '
'Code',
'type': 'AI Agent Hijacking',
'vulnerability_exploited': 'Publicly exposed Sentry DSN credentials'}