Back to Intelligence

Agentjacking: Defending AI Coding Agents from Sentry-Based Code Injection

SA
Security Arsenal Team
June 12, 2026
6 min read

In the rapidly evolving landscape of 2026, AI coding agents have shifted from experimental tools to essential components of the software development lifecycle (SDLC). However, this automation has introduced a novel attack surface. Security researchers at Tenet Security have unveiled Agentjacking, a sophisticated attack class that tricks autonomous AI coding agents into executing arbitrary malicious code on developer machines.

By leveraging deceptive error reports ingested via Sentry, a popular open-source error-tracking platform, attackers can manipulate the "reasoning" of AI agents. When an agent attempts to debug an issue based on a fabricated stack trace, it may automatically execute "remediation" commands that are actually payloads. This post breaks down the Agentjacking mechanics and provides the detection logic and hardening steps required to secure your development infrastructure.

Technical Analysis

The Attack Vector: Agentjacking exploits the implicit trust AI coding agents place in error-tracking telemetry. The attack chain proceeds as follows:

  1. Injection: An attacker with access to a Sentry project (or via a compromised integration) creates a fake issue or error report.
  2. Deception: The error report includes a misleading stack trace and a "solution"—typically a shell command designed to look like a dependency fix or environment update.
  3. Execution: The AI coding agent (e.g., Cursor, Copilot, or custom autonomous dev bots) queries the Sentry API, retrieves the error, and autonomously executes the suggested command to resolve the issue.
  4. Compromise: The command executes malicious code, leading to credential theft, reverse shell establishment, or supply chain poisoning.

Affected Components:

  • Platforms: AI coding agents integrated with Sentry for telemetry.
  • Trigger: Malformed or malicious data within Sentry issue events.
  • Impact: Developer workstations and build environments where the AI agent has shell execution privileges.

Exploitation Status: As of June 2026, Agentjacking is a documented technique by Tenet Security. While specific CVEs have not been assigned (the issue lies in the logic of the AI agent and configuration of the telemetry ingestion), the potential for active exploitation in CI/CD pipelines is high. It represents a bypass of traditional static analysis because the command is injected dynamically during the "fix" phase.

Detection & Response

Defending against Agentjacking requires monitoring the behavior of AI agents. Specifically, we must detect when these tools spawn shell processes to execute commands derived from external telemetry.

Sigma Rules

The following rules detect the suspicious spawning of shells by common AI coding agent processes and the execution of network-based commands (curl/wget) often used in payload delivery.

YAML
---
title: Potential Agentjacking - AI Agent Spawning Shell
id: 8a4b2c1d-5e6f-4a3b-8c9d-1e2f3a4b5c6d
status: experimental
description: Detects AI coding agents spawning shell processes, which may indicate an Agentjacking attack where the agent is tricked into running a malicious payload.
references:
  - https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection_ai_tools:
    ParentImage|endswith:
      - '\Cursor.exe'
      - '\Code.exe'
      - '\Cursor Helper.exe'
      - '\github-copilot.exe'
  selection_shell:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate developer debugging initiated by the AI agent
level: medium
---
title: Agentjacking Payload Delivery - Network Tool Execution
id: 9b5c3d2e-6f7a-5b4c-9d0e-2f3a4b5c6d7e
status: experimental
description: Detects AI coding agents executing network retrieval tools (curl, wget) often used to fetch malicious payloads during Agentjacking.
references:
  - https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - 'Cursor'
      - 'Code.exe'
      - 'Copilot'
  selection_payload:
    Image|endswith:
      - '\curl.exe'
      - '\wget.exe'
      - '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IEX'
      - 'DownloadString'
  condition: all of selection_*
falsepositives:
  - Legitimate package installation or update by the agent
level: high

KQL (Microsoft Sentinel)

Use this query to hunt for process creation events where AI tools act as parents for suspicious command-line activity.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(1d)
| where ParentProcessName has_any ("Cursor.exe", "Code.exe", "Cursor Helper.exe", "github-copilot.exe")
| where ProcessName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh")
| where CommandLine has_any ("curl", "wget", "Invoke-WebRequest", "IEX", "pip install", "npm install", "chmod +x")
| project Timestamp, DeviceName, AccountName, ParentProcessName, ProcessName, CommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for process lineage involving known AI agent binaries spawning shells.

VQL — Velociraptor
-- Hunt for Agentjacking indicators: AI tools spawning shells
SELECT 
    Pid,
    Name AS ProcessName,
    CommandLine,
    Exe,
    Username,
    Parent.Pid AS ParentPid,
    Parent.Name AS ParentName,
    Parent.Exe AS ParentExe
FROM pslist()
WHERE Parent.Name =~ "Cursor" 
   OR Parent.Name =~ "Code.exe" 
   OR Parent.Name =~ "Copilot"
   AND (Name =~ "cmd.exe" 
        OR Name =~ "powershell.exe" 
        OR Name =~ "bash" 
        OR Name =~ "sh")

Remediation Script (PowerShell)

This script audits the environment for the presence of common AI coding agents and checks if they are running with elevated privileges, a condition that exacerbates the risk of Agentjacking.

PowerShell
# Audit AI Coding Agents for Privilege Escalation Risk
Write-Host "[*] Auditing AI Coding Agent privileges..."

$targetProcesses = @("Cursor", "Code", "Cursor Helper", "github-copilot")
$foundIssues = $false

Get-Process | Where-Object { $targetProcesses -match $_.ProcessName } | ForEach-Object {
    $process = $_
    try {
        $user = (Get-CimInstance -ClassName Win32_Process -Filter "ProcessId = $($process.Id)").GetOwner().User
        # Check if running as SYSTEM or Administrator (simplified check)
        if ($user -eq "SYSTEM" -or $user -eq "ADMINISTRATOR") {
            Write-Host "[!] ALERT: $($process.ProcessName) (PID: $($process.Id)) is running as high-privilege user: $user" -ForegroundColor Red
            $foundIssues = $true
        } else {
            Write-Host "[+] INFO: $($process.ProcessName) (PID: $($process.Id)) running as: $user" -ForegroundColor Green
        }
    } catch {
        Write-Host "[!] ERROR: Could not retrieve owner for PID $($process.Id)"
    }
}

if (-not $foundIssues) {
    Write-Host "[*] No high-privilege AI agents detected."
}

Remediation

To mitigate the risk of Agentjacking, organizations must treat AI coding agents as untrusted or semi-trusted components within the SDLC:

  1. Strict Permission Boundaries: Ensure AI coding agents do not run with administrative or root privileges. Utilize User Account Control (UAC) or sudo restrictions to prevent the agent from modifying system configurations or installing global packages.

  2. Sandboxing: Run AI coding agents in isolated containers or virtual machines. If an agent is compromised via a fake Sentry error, the blast radius is contained within the sandbox.

  3. Review Sentry Integrations: Audit all Sentry projects and integrations. Ensure that write access to error events is restricted to verified sources. Implement IP allow-listing for Sentry ingestion webhooks where possible.

  4. Disable Auto-Execution: Configure AI coding agents to require human confirmation before executing terminal commands. Most commercial agents (Cursor, Copilot) have a "safe mode" or approval workflow—enable it strictly.

  5. Network Egress Filtering: Restrict the outbound network access of development environments. AI agents should generally not need to access arbitrary external IPs, only trusted package repositories (e.g., npmjs.org, pypi.org).

  6. Vendor Updates: Monitor updates from your AI coding agent provider. Patches addressing prompt injection resistance and telemetry validation are expected to be released rapidly following this disclosure.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemagentjackingai-coding-agentssentry

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action