Artificial intelligence coding agents are shaking up software development. They write code, fix bugs, and run commands. But what if those agents turn against you? What if a fake bug report tricks them into running attacker code on your machine? That’s exactly the threat researchers just uncovered. They call it “agentjacking,” and it’s a game changer in AI security.

The New Danger: Trusted Bugs Become Attack Vectors

Imagine an AI coding assistant that helps fix errors in your software. It pulls error reports from tools like Sentry, a popular error-tracking service. Developers rely on Sentry to catch bugs and suggest fixes. But here’s the catch — Sentry’s system lets anyone send error reports using a public key embedded in the app. This key is meant to be safe and open.

Attackers exploit this by sending fake error events loaded with hidden commands. These malicious commands look just like normal bug-fix advice. The AI agent reads the report and assumes it’s trustworthy. When you tell the agent to “fix unresolved issues,” it executes the attacker’s instructions with your full privileges. No malware needed. No stolen passwords. Just a cleverly disguised bug report.

This attack bypasses firewalls, endpoint detection, and identity controls because it uses authorized tools and permissions. The agent acts with what looks like legitimate intent. That’s why researchers call it the “Authorized Intent Chain.” It’s an attack hiding in plain sight.

How Agentjacking Works Step-By-Step

• First, the attacker locates the target’s Sentry Data Source Name (DSN), a public credential used to send error reports.
• The attacker sends a fake bug report to Sentry’s ingest endpoint, no password required.
• The report contains markdown that mimics the platform’s own remediation advice, fooling the AI agent.
• When the developer asks the agent to fix the errors, the agent fetches the fake report and runs the hidden attacker commands.
• The attacker gains control on the developer’s machine, able to access environment variables, cloud credentials, private repos, and more.

Tests showed an 85% success rate across major AI coding agents like Claude Code, Cursor, and Codex. Over 2,300 organizations were found exposed, from huge enterprises to solo developers. One fake bug can unlock a treasure trove of secrets, including AWS keys and CI/CD pipeline access.

Not the Only Threat: Symlink Hijacking and Prompt Injection

Agentjacking isn’t the only AI coding agent threat. Another attack, called SymJack, tricks agents by hiding symbolic links in repositories. These links redirect trusted file paths to attacker-controlled servers. When developers open these projects, the AI agent runs malicious code without realizing it.

Six major coding agents, including GitHub Copilot CLI and Gemini CLI, fell victim. The attack steals SSH keys, cloud tokens, and browser sessions. It exploits trust in file system paths and developer fatigue with multiple trust prompts. Developers click “approve” dozens of times a day — one click can unleash chaos.

Prompt injection remains a huge problem too. AI models treat all input as a single stream. Malicious text hidden in bug reports, documentation, or support tickets can hijack the agent’s behavior. These poisoned inputs can cause agents to leak secrets or execute harmful commands.

Why This Matters: AI Agents Are New High-Value Targets

Developer machines hold the keys to everything: source code, cloud consoles, and build pipelines. AI coding agents have powerful access to these resources. That makes them prime targets for attackers. One compromised agent can start a supply chain attack that spreads malware across many systems.

Current security tools often miss these attacks because they look like authorized activities. Agents run commands with developer privileges, so firewalls and antivirus software don’t flag anything unusual. The problem is the implicit trust AI agents place in the data they consume.

Enterprises rushing to adopt AI assistants must rethink security. Treating agents as privileged identities is crucial. Restrict what external data agents can execute. Use strict permission models and require human approval for sensitive commands. Monitor and log every agent action for audit trails.

Looking Ahead: Securing AI Agents for the Future

Agentjacking reveals a new frontier in software supply chain risk. The line between trusted data and executed code is blurring. AI agents bring incredible productivity but also broaden the attack surface. Security teams must focus on the moment an agent decides to act.

Future defenses will depend on controlling the Model Context Protocol — the interface AI agents use to fetch outside data. Platforms that monitor and restrict which tool servers agents trust will gain an edge. Developers need tools that show where code and commands really come from before approving them.

The AI revolution in coding is unstoppable. But it comes with new risks. Understanding attacks like agentjacking is the first step to taming this powerful technology. The future belongs to those who secure AI agents before attackers do.