News
Fake Bug Report Hijacked AI Coding Agents at Thousands of Companies
Tenet Security researchers showed that a single crafted bug report in Sentry can hijack Claude Code, Cursor, and Codex to run arbitrary code on a developer's machine. More than 2,000 organizations were vulnerable, including a company valued at $250 billion.
Contents
Security research firm Tenet Security has described a technique it calls agentjacking, which lets an attacker hijack AI coding agents through a single crafted bug report filed in Sentry, the popular application monitoring tool. In controlled tests, the attack successfully fooled Claude Code, Cursor, and OpenAI Codex, causing them to execute attacker-controlled code on the developer's own machine.
How the attack works
Sentry is an error-tracking tool used by more than 200,000 organizations, including GitHub, Disney, Anthropic, and Atlassian. Bug reports reach Sentry through a publicly accessible DSN key embedded in a website's code, with no authentication required. An attacker only needs to find such a key, then submits a crafted bug report containing a hidden section that describes a supposed fix for the issue.
When a developer asks an AI agent to fix the reported bug, the tool pulls the data from Sentry over the MCP protocol and treats it as trusted system information, unable to tell a genuine crash report from a crafted one. As a result, the agent carries out the hidden command, installing an npm package that steals environment variables, AWS keys, GitHub tokens, and SSH keys with the developer's own permissions.
Scale of the problem
According to Tenet Security, 2,388 organizations were vulnerable to this type of attack, meaning they had a publicly accessible and exploitable DSN key, ranging from one-person teams to Fortune 500 companies. The attack's success rate in the tested sample reached 85 percent, and among the confirmed victims that actually executed the malicious code was a company valued at around $250 billion.
The researchers stress that the attack bypasses conventional defenses, because from the perspective of access-control systems, firewalls, or EDR tools, every step in the chain is fully authorized. It is the AI agent itself, running with the developer's own permissions, that carries out the command, so none of the existing security tools have any reason to block anything.
Sentry's response and the patch
Tenet Security reported the issue to Sentry on June 3, and the company responded the same day, but instead of fixing the root cause, it limited its response to filtering specific strings that appear in malicious payloads. According to comments attributed to Sentry representatives, the underlying mechanism of passing content from external sources to AI agents is difficult to defend against within the tool's current architecture.
Tenet Security has released a free tool called agent-jackstop, offering ready-made configurations that make this type of attack harder to pull off in Cursor and Claude Code. It is a stopgap measure, since the fundamental problem, the inability of AI agents to distinguish input data from instructions to execute, remains unresolved across the industry.
What it means for companies using coding agents
The discovery comes as coding agents, from Claude Code and Cursor to China's ZCode, become a standard tool for developers worldwide, including in Poland. It shows that any channel through which an AI agent pulls in external data, error monitoring, documentation, customer tickets, can become an attack vector if the agent cannot tell information apart from a command.
For teams rolling out coding agents at their companies, this means treating integrations with external services over the MCP protocol as a potential attack surface, not just a convenient source of context. Until the industry develops lasting architectural safeguards, the main protection remains limiting the permissions AI agents are granted by default on developer machines.
Sources: Fake Bug Report Hijacks AI Coding Agents at Scale (darkreading.com), Agentjacking: a fake bug report hijacks AI coding agents (thenextweb.com), One Fake Bug Report Hijacked a 250B Company's AI Agent (tenetsecurity.ai)


