AI Coding Agent Security Flaw Allows Attackers to Run Malicious Code

Coding Agent Security Flaw Allows Attackers to Run Malicious Code">

A single fake error report hijacked Claude Code in controlled testing — the agent ran the attacker's code with the developer's full privileges, and not one alert fired. EDR, WAF, IAM, and the firewall all missed it completely. Tenet Security's June agentjacking disclosure describes a single crafted Sentry error event — sent through a public credential that requires no breach and no authentication — that injected attacker instructions into error data that Claude Code, Cursor, and Codex then executed as trusted diagnostic output.

Tenet tested 100-plus targets in controlled conditions and achieved an 85% success rate. Sentry called the flaw "technically not defensible." The Cloud Security Alliance classified agentjacking as a systemic MCP vulnerability class within days of the disclosure. No credentials were stolen, no policy was violated, no perimeter was breached: every step in the chain was authorized.

That is the problem. Tenet identified 2,388 organizations with publicly exposed Sentry credentials that could be used to inject malicious events at scale. The research is proof-of-concept, not confirmed exploitation across all 2,388.

But one captured Claude Code environment held a live AWS secret access key and private repository URLs. If your AI coding agents are connected to Sentry, Datadog, PagerDuty, Jira, or any MCP-connected data source your developers trust — and those agents can execute shell commands — then your stack has the same blind spot. Organizations running Sentry should audit all publicly exposed DSNs immediately.

Sentry's architecture intentionally makes DSN credentials public for frontend error reporting, so the mitigation isn't revoking the DSN — it's restricting what agents can do with the data those DSNs return. Agentjacking works because every step is authorized: The attacker sends a valid Sentry API call using a public DSN, the MCP server returns the injected event as authentic output, and the agent executes the instruction using the developer's privileges. No signature fired.

The victim saw only benign diagnostics while the agent silently exposed cloud credentials and source-control tokens . SOC teams have never needed to distinguish between a developer running an npm install and an agent running that command in response to a malicious error event. That distinction did not exist until AI coding agents became production tools .

The stack that cannot make it is the stack agentjacking bypasses. Five surveys, one pattern: Five independent surveys from the first half of 2026 found that enterprises trust their AI agents far more than their enforcement justifies. Only 34% of organizations apply the same security controls to AI agents as to humans, according to an Okta/Apprize360 survey of 292 executives and 492 knowledge workers.