Since a lot of organizations keep adopting AI coding assistants to speed up software creation, security researchers are seeing something that feels new-ish, but still, it hits hard. The idea is that attackers aren’t only after the code or the network, they target the AI agent itself, the thing so many teams rarely question, and kinda just assume it’s safe.
Researchers at Tenet Security recently shared a technique they call Agentjacking. In plain terms, it’s a way to trick AI coding assistants into running attacker-controlled actions on a developer’s own machine. And yeah, the implications are broader than one tool or one vendor.
Because,as AI keeps getting woven into the software development lifecycle, it stops being “just assistance” and becomes, effectively, part of the overall attack surface. That’s the emerging cybersecurity reality researchers are pointing at.
How Agentjacking Actually Works
The whole attack leans on a trust gap between the AI coding agent and the outside services it uses to grab information.Basically, the agent believes those sources,or it treats what comes back from them as dependable context.
In the scenario that was demonstrated, researchers used Sentry, a common error monitoring platform. Attackers were able to provide specially crafted error messages. These messages look normal and believable once they’re pulled back by an AI coding assistant through connected tools and existing integrations.
Then, when a developer says something like, “Hey AI, please investigate this issue, or help resolve it,” the assistant might go and retrieve those malicious error reports. It then interprets them as trusted signals, like they’re instructions rather than bait.
From there, the AI agent can be nudged into doing unintended actions, and it does so using the developer’s own permissions. So the damage isn’t theoretical, it can actually be executed on the endpoint that the developer uses day to day.
Why This Is Extra Concerning
One reason this is so worrying is that it doesn’t depend on phishing emails, malware downloads, or any direct access into company infrastructure. Instead, the manipulation happens through data that appears legitimate to the AI system. It’s a kind of “credible enough” input that slips through because the agent is set up to trust what it reads.
Why this matters beyond AI
Agentjacking surfaces a wider issue hitting orgs that are moving into AI driven workflows—trust, like not in a vague way but in a day to day operational sense. Most traditional security setups still revolve around confirming who’s using what, where the device is coming from, which app is actually running, and so on. With AI though there’s another layer. Organizations also have to judge whether what the intelligent system is absorbing, and then acting on, is trustworthy or not.
When AI assistants are given access to source code, cloud environments, repositories, and development tools, a poisoned reasoning process can turn into a lot of downstream damage. Not instantly always, but enough that the cost shows up later, maybe in the form of bad changes, data exposure, or weird behaviors that are hard to trace.
This is why more organizations are putting money and time into Threat Modeling practices. The goal is to map out how these newer technologies can open up attack paths before someone else gets a head start.
The Growing Need for secure AI development
AI-assisted coding is changing how software gets built, and yes, it’s faster. But the pace should not become the excuse for skipping security. Development teams should look at things like
- how AI tools receive information, and from where it originates
- which outside systems they allow as trusted inputs
- what permissions AI-assisted workflows can actually reach
- how instructions are checked, and validated, before any execution
Also, regular secure code review still matters a lot, even when AI tools generate or tweak code. Human oversight stays important, because automated systems may miss risks that a person can spot , or at least flag quickly.
Building Governance Around AI
The Agentjacking research also highlights how governance matters a lot in AI adoption. A lot of organizations spend time on the AI capabilities, but they kind of forget the less-visible part, like how these systems should access , process, and talk to sensitive information. Setting up consent governance that’s actually strong and data management practices that are reliable, tends to keep organizations in the loop, so there’s visibility into how information moves across AI-enabled environments, and at the same time it helps satisfy compliance and accountability needs.
And as AI adoption keeps speeding up, governance is going to feel just as critical as innovation, maybe even more so.
Looking Ahead
Agentjacking might be one of the earliest cases where attackers target the trust relationships that help AI assistants function, but it’s probably not the last one. The big takeaway for organizations is pretty straightforward: securing AI systems is no longer just about guarding the models. It also means digging into the data, the integrations, the permissions, and those day to day workflows that end up shaping AI decision-making.
Organizations that pair solid security practices with workable governance, should end up in a better place to adopt AI safely. They’ll also maintain trust in the systems their teams depend on every single day.
Top comments (0)