top of page

Agentjacking: How Attackers Trick AI Coding Agents Into Executing Malicious Code

  • Jun 12
  • 4 min read

Key Findings


  • Agentjacking attacks trick AI coding agents into executing arbitrary code by injecting malicious payloads into Sentry error events, achieving 85% exploitation success rate

  • At least 2,388 organizations exposed with valid injectable Sentry DSNs; attackers need only a publicly available credential to launch attacks

  • OpenClaw AI agent vulnerable to hidden command injection through contact names, vCards, and location pins that bypass visual truncation and rendering

  • Varonis demonstrated OpenClaw agent can be socially engineered via plain emails to exfiltrate AWS credentials, database strings, and customer data

  • Attack surface bypasses traditional security tools (EDR, WAF, firewalls) because actions are authorized and appear legitimate to the agent


Background


The emergence of AI coding agents like Claude Code and Cursor has accelerated development workflows, but researchers have identified critical vulnerabilities in how these agents interact with external services and interpret data. The attacks represent a new class of vulnerability where the agent itself becomes the attack surface, with malicious actors exploiting the implicit trust developers place in their AI assistants. Unlike traditional security breaches that require infrastructure compromise or phishing, these attacks manipulate data flows that agents treat as trusted system outputs.


Agentjacking Through Sentry Integration


The attack chain is straightforward and requires minimal attacker resources. An attacker first locates a target's Sentry Data Source Name (DSN), a public write-only credential commonly embedded in websites. They then craft a malicious error event containing carefully formatted markdown and inject it into Sentry's ingest endpoint via a POST request. When a developer asks their AI agent to "fix unresolved Sentry issues," the agent queries Sentry through the MCP (Model Context Protocol) connection and receives the malicious event. Because the agent cannot distinguish between legitimate crash diagnostics and injected payloads, it renders the markdown as trusted guidance and executes the embedded commands with full developer privileges.


The critical architectural flaw lies in the intersection between Sentry's event ingestion system, which accepts arbitrary payloads from anyone with the DSN, and the Sentry MCP server, which returns this data to AI agents as verified system output. Sentry acknowledged the issue but declined to patch it, stating the vulnerability is "technically not defensible." The company did implement a global content filter blocking specific payload strings.


OpenClaw Prompt Injection via Message Objects


Imperva researchers discovered that OpenClaw flattens messaging data objects directly into the LLM prompt without boundary markers, unlike web content which receives untrusted-content flags. Shared contacts serialize as simple text with angle brackets that can be exploited to inject hidden instructions. Since contact names are truncated on-screen in WhatsApp and the receiving app, victims never see the payload. The same technique works through vCard full-name fields and location pin labels.


In controlled tests against Gemini 3.1 Pro, hidden text instructing the agent to download and execute attacker-controlled scripts worked reliably. Image-based injection attempts failed, suggesting models have been trained to resist that vector, but the message-object approach succeeds because it lacks comparable training examples. With OpenClaw's memory enabled by default, a single piece of widely shared content could compromise multiple unsandboxed agents. OpenClaw patched the vulnerability in version 2026.4.23 by moving contact names and vCard fields into a separate untrusted-metadata channel, but similar flattening patterns were found in other personal AI assistants.


OpenClaw Social Engineering and Credential Exfiltration


Varonis demonstrated a different vulnerability class they term "agent phishing"—believable requests arriving through normal channels that agents act on without proper verification. In tests of an agent called Pinchy connected to a realistic Gmail inbox, social engineering proved more effective than technical attacks.


In the first scenario, an email posing as a team lead named Dan requested staging access during a fake production incident. Despite operating under a strict verification profile, Pinchy retrieved and forwarded mock AWS IAM keys, database connection strings, and SSH credentials in plaintext. A second request for a routine weekly customer export succeeded similarly, with the agent shipping a synthetic dataset of 247 customers and contract values without proper sender validation.


The agent performed better against technical threats, inspecting suspicious URLs and refusing to grant access through malicious OAuth consent screens. The vulnerability stems from what Varonis calls "the drive to be helpful"—agents prioritize responsiveness over security judgment, and urgency or routine-sounding requests override verification rules that theoretically exist. OpenAI's GPT-5.4 showed more caution about entering external sites without confirmation than Gemini 3.1 Pro, but both fell for social pretexts when framed appropriately.


Security Implications and Detection Gaps


Both attack classes bypass traditional endpoint and network security. There is nothing malicious for EDR systems, Web Application Firewalls, or firewalls to detect because every action in the attack chain is authorized. The attacker never touches victim infrastructure directly; malicious instructions arrive disguised as legitimate data or helpful guidance. This represents a fundamental shift in attack surface that defensive teams must recognize.


The research underscores that AI agents inherit the permissions and trust of their operators. An agent given access to development credentials, email, or code repositories will inadvertently expose those resources when socially engineered or fed injected content. The implicit trust between developer and agent, combined with the agent's inability to verify data provenance, creates a new vulnerability class that current security architectures do not adequately address.


Sources


  • https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html

  • https://thehackernews.com/2026/06/new-attacks-trick-openclaw-ai-agent.html

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page