Fake Bug Report Shows AI Coding Agents Can Be Turned Into an Enterprise Attack Path

Related

Share

What happened

Researchers at Tenet Security have demonstrated a new attack technique, known as “agentjacking,” that exploits AI coding assistants by feeding them malicious instructions hidden inside a fake software bug report.

In controlled testing, the researchers found that popular AI coding tools, including Claude Code, Cursor, and Codex, could retrieve poisoned error logs from Sentry and execute attacker-controlled commands on a developer’s machine.

The research centered on publicly exposed Sentry Data Source Names (DSNs), which allow applications to submit error telemetry without authentication. Tenet identified more than 2,300 organizations with exposed DSNs that could potentially be targeted.

According to Barak Sternberg, the attack does not rely on sophisticated exploits. Instead, it abuses the inability of today’s AI agents to distinguish between information they should read and instructions they should execute. Because the actions appear to come from an authorized developer, traditional security controls such as identity management, endpoint protection, and network monitoring may not detect the attack.

Who is affected

The research has implications for organizations using AI coding assistants alongside developer tools, issue trackers, and monitoring platforms. Enterprises that integrate AI agents with error logs, tickets, documentation, or other external data sources could be exposed if those sources are manipulated.

A successful attack could allow threat actors to steal cloud credentials, GitHub tokens, SSH keys, and CI/CD secrets. It could also provide access to private code repositories, cloud infrastructure, or software supply chains.

Experts, including Gene Moody, warn that organizations should treat AI agents as untrusted until they have undergone thorough security testing and are protected by strict operational controls.

Why CISOs should care

As AI agents become embedded in software development workflows, they introduce a new attack surface that existing security tools may struggle to monitor. Unlike traditional malware, these attacks manipulate trusted AI assistants into performing legitimate-looking actions using authorized user permissions.

The findings highlight that protecting AI-powered development environments requires more than securing infrastructure. Organizations must also secure the data sources AI agents consume and continuously monitor how those agents interpret and execute instructions.

3 practical actions

  • Require human approval before AI agents execute shell commands, install packages, or perform sensitive system actions.
  • Apply least-privilege access to AI coding agents and limit the external data sources they can access.
  • Monitor AI agent behavior in real time to detect when an agent’s actions diverge from the user’s original intent.

 

1524023125746
+ posts