Tenet's 'Agentjacking' research turns Sentry error data into a prompt-injection vector for AI coding agents

Security firm Tenet has published research on an indirect prompt-injection attack against AI coding agents that hides its payload inside Sentry error data, per DevOps.com. The operational read is short. Any third-party telemetry an agent ingests is now untrusted input, on the same footing as a user-controlled HTTP header. Tenet's name for the technique is "Agentjacking."

The mechanism is the familiar indirect-injection shape. The agent's context window does not distinguish between system instructions, the developer's task, and the strings it slurped out of a telemetry feed. If those strings carry plausible-looking imperatives — and an error report is one of the easier surfaces on which to plant them, since an attacker can often trigger a recorded exception from outside the application — the agent treats them as instructions. With a shell tool wired up, the next step is code execution. The Tenet proof of concept makes that step concrete with Sentry as the vector.

What this changes for the CI/CD owner

Two things. The trust boundary moves. The agent's input stream is now in scope for threat modelling, and the live question is which feeds — error trackers, log aggregators, ticketing systems, on-call dashboards — can carry attacker-controlled bytes. Almost all of them can.

The mitigation, accordingly, is not at the model layer. It sits at the tool layer: scope the shell, require human approval on side-effecting actions, isolate the agent's runtime from the systems it can read about, and never let the same identity that ingests telemetry also push to production. The pitch for these agent-in-the-loop setups has been latency — faster triage, less paging — and that pitch quietly assumed the telemetry feeding the agent was benign. Agentjacking is the demonstration that it is not.

For teams that have already started wiring agents into the build-failure loop, the residual caveat is that nothing in this research is Sentry-specific. The class of bug is the agent's input stream, and the patch is not a vendor release. It is a re-draw of the trust boundary the platform team is now on the hook to maintain.