Agentjacking: Exploiting Public Sentry DSNs for Code Execution in AI Coding Agents
This article details "agentjacking," a novel attack leveraging public Sentry Data Source Names (DSNs) to inject malicious commands into AI coding agents. It highlights a critical security vulnerability arising from the inherent trust AI agents place in external service output, demonstrating how a publicly exposed DSN can enable an attacker to execute code with developer privileges by crafting fake error reports.
Read original on The New StackThe "agentjacking" attack exploits a fundamental architectural assumption: that data from trusted external services, even error monitoring, will only be interpreted by humans or safely processed. AI coding agents, however, treat this data as executable instructions, turning a design decision (public DSNs for frontend error reporting) into a critical security flaw. This highlights the need for careful consideration of data provenance and interpretation when integrating AI agents into existing systems.
The Vulnerability: Public DSNs and AI Agent Trust
Sentry's Data Source Name (DSN) is designed as a write-only, public credential, safe for embedding in frontend JavaScript to report errors. This design was secure when humans were the primary interpreters of error logs. However, AI coding agents, connected via protocols like the Model Context Protocol (MCP), indiscriminately trust and act upon the data returned by such services. An attacker can find an exposed DSN, post a crafted error event to Sentry, and embed malicious commands disguised as resolution steps.
Authorized Intent Chain
The core of agentjacking is the "Authorized Intent Chain." Every step of the attack is authorized: the DSN allows writing to Sentry, Sentry processes the event, and the AI agent, following its programming, executes the "resolution." Traditional security controls like EDR, WAF, IAM, and VPNs fail to detect this because no unauthorized actions or credentials are used.