DEV Community

jaryn
jaryn

Posted on

Agentjacking: A New Attack Targeting Claude Code and Cursor — Could Open-Source Tools Like monkeycode Help?

Agentjacking: A New Attack Targeting Claude Code and Cursor — Could Open-Source Tools Like monkeycode Help?

code on screen

Researchers recently disclosed a new attack class called Agentjacking that targets AI coding agents like Claude Code and Cursor. The technique, reported by The Hacker News, exploits trust in external services connected through the Model Context Protocol (MCP).

How it works

The attack works by poisoning error reports sent to services like Sentry. When the AI agent reads the fake error report, it sees markdown-injected instructions disguised as legitimate diagnostic guidance. The researchers claim an 85% success rate in getting agents to execute malicious code.

What makes this especially nasty is that it bypasses traditional security controls. The agent is not being exploited through a buffer overflow or a stolen credential. It is being tricked through a channel it implicitly trusts: a third-party error-tracking service.

Why MCP security matters now

MCP has become the default way for AI agents to connect to tools, databases, and APIs. That is great for capability, but it also means every connected service becomes part of the attack surface.

If you are running an agent that can read GitHub issues, query your database, and deploy code, a compromise in any one of those channels is potentially a full compromise.

My questions for the security community

  • Should MCP servers require authentication by default?
  • How do we sandbox AI agents so that a poisoned prompt cannot exfiltrate credentials or modify production?
  • Is the answer better prompts, better classifiers, or simply fewer permissions?

Could open-source tools change the trust model?

This is where I think open-source platforms like monkeycode become interesting. Because the project is AGPL-3.0 and self-hostable, teams can inspect how it connects to external tools, control the sandbox, and limit what any single agent is allowed to do. It is not a silver bullet, but it gives operators visibility that closed SaaS agents do not.


Have you started thinking about MCP and agent security? What controls are you putting in place?

Source: The Hacker News — Agentjacking Attack, summarized via Crescendo AI News

Top comments (0)