On June 17, the Threat Labs team at Tenet Security, a security startup for AI agents just out of stealth, documented a critical vulnerability affecting AI-assisted development tools like Claude Code, Cursor, and Codex. Dubbed 'AgentJacking,' the technique exploits public Sentry keys (DSN) to inject malicious commands into the agent's workflow, compromising code integrity and development environment security.

How Does AgentJacking Work?

The vulnerability relies on the fact that many AI tools, such as Claude Code, Cursor, and Codex, use Sentry for error collection and telemetry. The public Sentry key (DSN) is often exposed in source code or configuration files. An attacker can intercept this key and, through a malicious proxy, modify the AI agent's responses, injecting malicious code or altering the instructions received by the developer.

The attack requires no privileged access: it is enough for the developer to have a public DSN key in their repository. The AI agent, when sending telemetry to Sentry, can be redirected to a server controlled by the attacker, which responds with malicious instructions. This allows everything from stealing credentials to injecting backdoors into the generated code.

Impact on SysAdmins and DevOps

For system administrators and DevOps teams, this vector represents a new attack surface that must be managed. Generative AI tools are increasingly being integrated into CI/CD pipelines, and an exposed key can compromise the entire development flow. It is crucial to audit API keys and third-party services, especially those that enable bidirectional communication with AI agents.

Furthermore, this attack underscores the need to implement Zero Trust security policies for AI agents, treating them like any other system component. Monitoring outbound traffic and validating endpoints are essential measures to detect hijacking attempts.

Recommendations for Business

Companies adopting AI tools for development must establish clear secret management policies. It is not enough to hide keys in environment variables; they must be rotated periodically and use secret management services like HashiCorp Vault or AWS Secrets Manager. Additionally, developers should be educated about the risks of exposing public keys in repositories.

The business impact can be severe: from intellectual property leakage to introducing vulnerabilities into final products. Organizations should include AI agent security in their security audits and consider adopting specialized security tools, such as those offered by Tenet Security.

Conclusion

AgentJacking is a reminder that security in the era of generative AI requires a proactive approach. SysAdmin and DevOps teams must collaborate to integrate security controls into the development lifecycle, from secret management to agent monitoring. As we have seen in previous articles like 'An agent is an LLM and a harness', the architecture of AI agents is complex and requires attention to every detail. Do not underestimate the power of a public key: it can be the gateway to a devastating attack.

Source: The New Stack. ForgeNEX analysis.