VibeAudits
SecurityBlog Post

Agentjacking: A Fake Bug Report Can Hijack Your Agent

A fake Sentry error can trick AI coding agents like Claude Code and Cursor into running attacker code.

June 12, 2026
1 min read
Agentjacking: A Fake Bug Report Can Hijack Your Agent
Is your AI-built app exposed? Get a professional vibe coding audit and ship to production with confidence.

There is a new way to break into a company that skips the company entirely. No phishing. No stolen password. No malware on anyone's laptop.

The attacker just files a fake bug report and waits for your AI coding agent to read it. Researchers at Tenet Security call this Agentjacking, and it works against Claude Code, Cursor, and Codex.

How it works

Most production sites use Sentry to track errors. To send those errors, Sentry hands out a key called a DSN, and that key sits in the public JavaScript of the website by design.

Anyone who finds it can post their own "error" to your Sentry account. The attacker hides instructions inside a fake report, formatted to look like Sentry's own suggested fix: a section labeled "Resolution" with a command to run.

A developer asks their agent to fix the unresolved Sentry issues. The agent reads the fake resolution through its MCP connection, trusts it, and runs the command with the developer's own permissions.

That command grabs whatever it can reach, AWS keys, GitHub tokens, git credentials, private repo links, and ships them to the attacker. On screen, the developer sees a harmless line of diagnostic output.

Why it is hard to stop

The agent cannot tell the difference between data it reads and an instruction to act on. An error log is just text, and the model treats convincing text as guidance.

Tenet found 2,388 organizations with exposed DSNs. In testing across 100+ targets, the attack worked 85% of the time, from a Fortune 500 giant down to solo developers.

The worst part is what stays quiet. Firewalls, EDR, VPNs, and IAM see nothing, because every step is authorized. Reading Sentry was allowed. Running the command was allowed.

Prompting does not save you either. The agents ran the payload even when their system prompts told them to ignore untrusted data. Sentry was told and declined to fix it at the root, calling it "technically not defensible."

What founders should do

This is bigger than Sentry. Any MCP tool that returns outside data can become a delivery channel for instructions.

Then act on the answers. Treat anything an agent reads from outside as untrusted input. Give agents the narrowest permissions they need, and keep credentials out of reach of a stray command.

This is the exact failure mode we hunt for at VibeAudits. Scanners check your code. They do not reason about how your AI tools trust each other. That gap is where the damage lives, and it takes a human to find it.

VibeAudits

Security Experts

Worried your vibe-coded app has issues like this?

We run professional code audits for SaaS apps and AI features built with Cursor, Claude, Copilot, Lovable and Replit. We find the security and reliability problems before your customers (or attackers) do, then hand you a fix-ready report.