Published: · Region: Global · Category: cyber

Agentjacking Hack Threatens AI Coding Tools, Exposing New Cyber Weakness in Software Supply Chains

Security researchers say a new “agentjacking” technique can hijack AI coding assistants like Claude‑based tools and Cursor by planting fake Sentry error logs, achieving an 85% success rate in tests across more than 100 organizations. For developers, CISOs and AI vendors, the finding turns automated coding helpers into a potential backdoor into corporate software.

A quiet vulnerability in how AI coding assistants trust their tools has opened a new front in cyber risk. Researchers have disclosed an “agentjacking” attack that can hijack AI‑powered coding agents by feeding them forged Sentry error reports, tricking them into running attacker‑supplied code with developer‑level privileges — no phishing emails, malware downloads or server break‑ins required.

According to the research, the technique targets AI coding agents integrated with error‑tracking platforms such as Sentry. By planting crafted error messages that look like routine debugging information, attackers can steer agents like Claude‑based coding tools and Cursor into following malicious “fix” steps embedded in those logs. In controlled tests across more than 100 organizations, the researchers say, the attack worked roughly 85% of the time, giving them a way to execute arbitrary code in environments the agents could reach. The vulnerability resides not in a single vendor, but in the broader pattern of granting AI agents high trust in telemetry streams that are easier to falsify than traditional authentication mechanisms.

For developers, this turns a convenience tool into a potential liability. Many teams now let AI agents read logs, propose patches, and in some setups even apply fixes automatically in staging or production environments. If those agents treat error reports as ground truth without independent verification, a forged Sentry entry can become a Trojan horse, leading the AI to fetch and run code that looks like a legitimate remediation script. That puts not only application integrity at risk, but also API keys, customer data and internal source repositories the agent can access.

The human stakes stretch beyond developers’ screens. Companies increasingly rely on AI‑assisted coding to ship updates faster, including for products that touch hospitals, financial systems, critical infrastructure and consumer devices. A successful agentjacking attack against a widely used library or service could slip backdoors into software that runs in power grids, payment processors or city governments, turning what looks like an engineering workflow bug into a public‑safety or national‑security issue. For smaller firms that adopted AI tools to compensate for lean security teams, the risk is especially sharp: the assistant meant to help may quietly become the attacker’s inside man.

Strategically, agentjacking exposes a blind spot in how organizations are thinking about AI security. Much attention has focused on prompt injection — malicious instructions hidden in web pages or documents that models read. This new class of attack shows that telemetry and DevOps tooling can be just as dangerous if AI agents are wired to trust them implicitly. It also raises questions for regulators and policymakers pushing “secure by design” principles: how should liability and standards evolve when an AI system, not a human engineer, is the one that executes the compromised step?

For adversarial states and well‑resourced criminal groups, the opportunity is obvious. Instead of burning expensive zero‑days to break into hardened servers, they can aim to corrupt the data exhaust — logs, error messages, monitoring feeds — that modern AI agents ingest. From there, the agent does the hard work, turning an external nudge into internal code execution. That lowers the cost of attacking software supply chains and makes detection harder, because changes may appear as ordinary, AI‑generated patches in version control histories.

What happens next will depend on how quickly platforms and enterprises react. AI vendors can introduce stricter sandboxing for code execution, cryptographic verification of telemetry sources, and clearer boundaries around what agents are allowed to run without human review. DevOps and security teams will need to revisit their trust assumptions, segmenting environments so that even a hijacked agent has limited reach, and requiring multi‑factor checks before applying automated fixes to sensitive systems.

For now, the warning is stark: AI coding assistants are not just smart autocomplete for programmers; they are emerging system actors with real power over infrastructure. Treating them as such — with access controls, audit trails and adversarial testing — is no longer optional.

Key Takeaways

Outlook & Way Forward

In the near term, expect AI vendors and security teams to release patches, guidance and configuration changes aimed at limiting what coding agents can do without explicit approval. Organizations running such tools should audit where agents have direct access to production systems and error‑tracking feeds, and pare that access back where possible.

Longer term, agentjacking is likely to accelerate a shift toward formal AI security frameworks that treat agents as privileged processes subject to the same scrutiny as human administrators. Standards bodies and regulators may push for auditability, least‑privilege designs and red‑teaming of AI workflows, recognizing that the next major breach could begin not with a spear‑phishing email, but with a forged error log an over‑helpful bot decided to fix.

Sources

Related Coverage

GLOBAL

Ivanti Sentry Zero‑Day Exploit Puts Government and Corporate Networks on the Line

A newly disclosed Ivanti Sentry flaw is being mass‑exploited in the wild, with at least two internet‑facing servers already backdoored and U.S. federal agencies ordered to patch within days. For governments, banks, and any company running Ivanti’s mobile access gateway, the risk is no longer hypothetical: attackers are racing defenders to turn a remote‑code hole into persistent access deep inside sensitive networks.
GLOBAL

Interpol’s Sniper Dz Takedown Shows How Cheap Phishing Fueled a Decade of Global Fraud

A free phishing platform called Sniper Dz quietly armed cybercriminals for nearly 10 years with plug‑and‑play kits to mimic PayPal, Facebook, Netflix and more. An Interpol‑led operation has now dismantled the service and arrested 201 suspects across 13 MENA countries, exposing how low‑cost tools turned millions of people’s login habits into a lucrative attack surface.
GLOBAL

U.S. Plans to Scale Back NATO Air and Naval Assets Test Europe’s Defense Assumptions

Washington is preparing to cut a substantial share of the fighter jets, surveillance planes and naval forces it currently assigns to NATO in Europe, including shifting an aircraft carrier and missile submarine to other missions. For European governments already under pressure to rearm, the shift is a blunt signal: the U.S. security umbrella that deterred Moscow for decades is thinning, and Europe will have to move faster to cover the gap.
WARNING

Eastern Mediterranean Energy Center launched for offshore gas cooperation

Cyprus, Greece, Israel, and the US launched the Eastern Mediterranean Energy Center in Houston under the 3+1 Energy Dialogue, aiming to coordinate on offshore gas development, energy security, and decarbonization. While not an immediate volume change, it strengthens a cooperative framework that could accelerate East Med gas projects and associated LNG/pipe export options. The move is structurally bearish for long‑term European gas prices at the margin and supportive for regional infrastructure plays.
WARNING

US-Iran nuclear deal claims: US insists Hormuz will stay open

A senior US official stated that under the emerging agreement with Iran, nuclear materials will be destroyed, no funds released before compliance, and the Strait of Hormuz will remain open with no Iranian funding for terror groups. This comes alongside public US political pushback on leaked Iranian terms and comments by the US Energy Secretary that Washington will restore Hormuz flows with or without Iran. The messaging reduces immediate tail‑risk of a prolonged Hormuz closure but keeps headline volatility high.
WARNING

Ukraine drone strikes hit Afipsky refinery and Tolyattikauchuk plant

Ukrainian unmanned systems reportedly struck Russia’s Afipsky oil refinery in Krasnodar and the Tolyattikauchuk chemical plant in Samara on June 11–12. This continues a pattern of Ukrainian attacks on Russian energy and industrial assets and follows earlier confirmed damage at the Lazarevo pumping station. The news adds to upside risk for Russian product export flows and supports a modest risk premium in oil and refined products.