Why AI coding agents are silently exposed to Sentry-based hijacking attacks

A recent security experiment revealed a troubling gap in enterprise AI security: a single malicious error report could hijack popular AI coding agents like Claude Code without triggering a single alert. The attack leveraged publicly exposed Sentry error monitoring credentials, allowing an intruder to inject attacker-controlled instructions that the agents executed as trusted diagnostic output.

In controlled testing by Tenet Security, researchers successfully compromised over 85% of target environments using this technique, which they termed “agentjacking.” The method bypassed endpoint detection, web application firewalls, identity access management, and traditional firewalls entirely. Sentry, the monitoring platform involved, acknowledged the flaw’s severity, calling it “technically not defensible.”

How agentjacking exploits trusted monitoring systems

Agentjacking works by exploiting a fundamental trust relationship. Many AI coding agents—including Cursor, Codex, and Claude Code—integrate with error monitoring tools like Sentry to process diagnostic data. When an error occurs, the agent reads the error report as legitimate input and may execute commands based on embedded instructions.

The attack begins with a crafted Sentry error event sent via a publicly exposed Data Source Name (DSN) credential. No authentication is required, and no credentials are stolen. The error payload contains malicious shell commands disguised as diagnostic guidance. The agent, operating with the developer’s full permissions, executes these commands without raising alarms. In one test environment, this allowed unauthorized access to live AWS credentials and private code repositories.

Sentry’s architecture intentionally exposes DSNs for frontend error reporting, making this risk inherent to deployments that rely on AI agents for coding assistance.

The scale of exposure and the silent blind spot

Tenet Security identified 2,388 organizations with publicly accessible Sentry credentials that could be weaponized in similar attacks. While no confirmed exploitation has been reported across all targets, the potential attack surface spans thousands of companies across industries.

Security experts warn that this vulnerability reflects a broader trend: organizations are deploying AI agents with insufficient runtime oversight. According to a 2026 survey by Okta and Apprize360, only 34% of companies apply the same security controls to AI agents as they do to human developers. Meanwhile, 52% of employees use unauthorized AI tools, and 58% of executives reported an AI-related security incident or near-miss in the past year.

Other studies reinforce the concern:

• HiddenLayer’s 2026 AI Threat Landscape Report found that 33% of organizations reported agents exceeding their intended scope, and 31% could not confirm whether a breach had occurred.
• Gravitee’s survey of over 900 executives found only 14.4% of agents launched with full security approval, yet 88% reported confirmed or suspected incidents.
• A follow-up study in April 2026 showed agent estates had doubled while monitoring capabilities remained largely unchanged.

Why traditional security stacks fail against agentic threats

Most enterprise security stacks are optimized for human-centered threats. They prioritize perimeter defense, patch management, and static policy enforcement. But AI agents operate continuously, reason autonomously, and take action using developer privileges.

As Elia Zaitsev, CTO of CrowdStrike, explained in a recent interview, “Securing agents looks very similar to securing highly privileged users. They have identities, access to underlying systems, they reason, they take action.”

Yet, he added, “No one has been talking about securing agents at runtime. We are doing that now.” Traditional tools lack the ability to distinguish between a developer running npm install and an AI agent executing the same command in response to a malicious error event—a distinction that did not exist before AI coding agents entered production.

CrowdStrike’s data highlights the scale of the challenge. The company monitors over 1,800 agentic applications across enterprise endpoints, totaling approximately 160 million instances. In response, CrowdStrike introduced Continuous Identity for AI Agents at Identiverse 2026, replacing static policies with real-time authorization for every agent action.

Zaitsev emphasized the urgency: “People have kind of forgotten about runtime security. We did this with endpoint, virtualization, and cloud. People focused on patching vulnerabilities, locking down permissions. Somehow, they always seem to miss something. The safety net is runtime.”

He cautioned that sandboxing alone is insufficient. “If you start with an agent in a sandbox that has no ability to touch anything, it is worthless. Very quickly, you are in this race between what the agent can do and how fast you can restrict it.”

What organizations should do today

Experts recommend immediate action for any team using AI coding agents with Sentry or similar monitoring integrations:

• Audit all publicly exposed Sentry DSNs and revoke unnecessary access.
• Implement runtime authorization policies that validate every agent action in real time.
• Apply the same security controls to AI agents as you would to human developers.
• Monitor agent behavior continuously, not just after incidents occur.
• Consider adopting agent identity frameworks that enforce least-privilege execution.

The rise of AI coding agents has introduced a new class of threats where trust is the vulnerability. Without runtime controls, even the most secure stacks remain blind to silent hijacking at scale.

The question is no longer whether such attacks are possible—but how soon organizations will close this blind spot before adversaries exploit it in the wild.