When you plug an AI assistant into your other software, it treats whatever those tools hand back as trustworthy instructions — and an outsider can stuff fake instructions into that pipe.

Trust Became The Attack Surface

What happened: Researchers at Tenet Security described an attack they call "Agentjacking" that tricks AI coding assistants — the helpers developers use to write and fix software, such as Claude Code and Cursor — into running an outsider's commands on the developer's own computer. The trick starts with Sentry, a widely used tool that catches error reports when an app crashes; anyone who finds a site's public Sentry submission key (its "DSN," a write-only credential often embedded right in a website) can file a fake error report. That fake report carries hidden instructions, and when a developer later asks their AI assistant to "fix unresolved Sentry issues," the assistant reads the planted text as legitimate guidance and runs it — exposing environment variables, Git credentials, private repository links, and developer identities, per the researchers.

What's really going on: The flaw is not a bug in any one product; it is the wiring between them. Sentry accepts error reports from anyone, and the connector that feeds those reports to an AI assistant — built on the Model Context Protocol, the emerging standard for letting agents pull in outside data — passes them along as trusted system output. The assistant has no way to tell a real crash from a planted one, so published data becomes an executable command. That is why Sentry, by the researchers' account, acknowledged the issue but declined to fix it as "technically not defensible," applying only a filter for one specific payload. The incentive driving the whole agent boom — connect the model to everything, let it act on what it reads — is the exact thing that makes this hard to undo: the more tools an agent can reach, the more mouths can whisper orders into it.

Why most people are missing this: They assume the danger is a compromised server or a phishing link, when here every step is authorized and nothing on the wire is technically malicious.

The Take: An AI agent that can't separate the data it reads from the commands it follows isn't a productivity tool — it's a remote-execution hole wearing a helpful face.

Why it matters: As companies wire agents into more of their internal tools, the published exhaust of normal operations — error logs, tickets, comments — becomes a delivery system for commands, and defenses built to catch malware will keep seeing nothing.

Source: https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html

The tension is between capability and containment: agents are useful exactly to the degree that they read outside data and act on it, and they are dangerous for the same reason. Capability is winning, because every company racing to deploy agents is rewarded for connecting more tools, not fewer. Containment loses quietly, because the safe option — treat all external data as untrusted — would strip the agent of the autonomy that made it worth buying.

In 1988, computer scientist Norm Hardy named the "confused deputy" — a program with real authority tricked by an outsider into misusing it. The agent here is that deputy, four decades later, with a far bigger keyring.

POST: AI coding agents are being sold as the new productivity layer. They are also the new attack surface. A fake error report — built from data a company publishes about itself — can make the agent run an outsider's code with the developer's own privileges, and it slips past firewalls because every action is authorized. The danger isn't malware anymore. It's trust.

TAKE: An agent that treats everything it reads as a trustworthy instruction isn't intelligent — it's gullible at machine speed, and we're handing it the keys.