Tenet Security researchers have described a technique they call “agentjacking”, in which a hostile actor plants malicious instructions inside a fake software error report and waits for a coding agent to read it during routine debugging. The attack does not require stolen passwords, malware on the developer’s machine or direct compromise of the target company’s systems. Its force comes from turning trusted workflow data into instructions that an agent treats as part of its task.
The proof-of-concept centres on Sentry, a widely used application monitoring platform that collects software errors, stack traces and diagnostic messages. Many websites expose a Sentry Data Source Name so front-end errors can be sent to the correct project. That design is not, by itself, a security flaw. Tenet’s argument is that a coding agent connected to the issue-tracking workflow may read attacker-supplied diagnostic text and interpret it as guidance for fixing a bug.
Researchers said a crafted event could look like a normal error report, complete with apparently helpful remediation steps. When an AI coding agent is asked to investigate the issue, it may follow those steps, install a package, run a command or modify code. If the agent has terminal access, repository access or local environment privileges, the attacker’s instructions can move from a text field into executable action.
Tenet said it tested the method under controlled conditions across more than 100 agent deployments and identified exposure among more than 2,300 organisations. The company said the pattern bypassed conventional controls because the activity appeared authorised: the agent was using permitted tools, acting under a developer’s identity and performing what looked like legitimate debugging work. That is why the researchers describe the weakness as an “authorised intent chain” rather than a conventional intrusion path.
The finding sharpens concern over the way coding agents are being added to developer environments. Tools such as Claude Code, Cursor, Gemini CLI, GitHub Copilot-style assistants, Cline and other agentic coding products increasingly move beyond autocomplete into planning, editing, testing and command execution. Their usefulness depends on access to repositories, terminals, package managers, logs, tickets and continuous integration systems. Those same connections create a wider attack surface when the model cannot reliably distinguish data from instructions.
Prompt injection has already been ranked as a leading risk for large language model applications because malicious or hidden input can alter an AI system’s behaviour. Coding agents raise the stakes because they can act on that altered behaviour. A poisoned bug report, dependency instruction, README file, support ticket or pull request comment may become an operational command once an agent ingests it.
Security researchers have warned throughout 2025 and 2026 that agentic systems are vulnerable to tool abuse, indirect prompt injection, data exfiltration and sandbox escape. Academic work on coding-agent attacks has also shown that poisoned “skills”, hidden scripts and manipulated tool descriptions can steer agents into unsafe behaviour even when the user’s original instruction is benign. The Tenet case adds a practical enterprise workflow to that list: error monitoring.
The Sentry angle is significant because error telemetry is routinely treated as diagnostic evidence rather than hostile input. Client-side reporting systems are designed to accept events at scale, and developers often rely on them to triage production failures quickly. If an agent is placed between the error report and the fix, the contents of the report become part of the model’s working context.
The risk is not limited to one monitoring platform. Any system that accepts outside-controlled text and later feeds it to an agent can become an entry point. That includes customer support systems, crash reports, GitHub issues, project-management tickets, chat logs, documentation sites and code comments. The common weakness is not the external system alone, but the decision to let an autonomous agent consume untrusted content while retaining permission to execute commands.
Defensive advice is moving away from simple prompt warnings. Telling an agent to ignore untrusted text may not be sufficient if the malicious instruction is embedded in a context that looks operationally relevant. Security teams are instead being urged to treat agents as privileged digital identities, restrict their permissions, isolate their execution environments, require human approval for risky commands, block automatic package installation, inspect tool calls and keep detailed audit logs of agent decisions.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
