Skip to main content
Home/Blog/Agentjacking: The Attack Your Security Team Hasn't Heard Of Yet
Agentic AI

Agentjacking: The Attack Your Security Team Hasn't Heard Of Yet

A new attack class called 'agentjacking' is exploiting AI coding agents with an 85% success rate across thousands of organizations. Here's what it is and what to do about it.

June 19, 2026·6 min read

Last week, researchers disclosed an attack that should be on every security leader's radar right now. It's called "agentjacking," and it works like this: attackers inject malicious instructions into Sentry error events — the kind your developers read every day. When an AI coding agent retrieves those events through an MCP connection, it executes the embedded instructions with full developer privileges. The reported success rate? Roughly 85% across 2,388 organizations tested.

Let that number sink in. Not a proof-of-concept in a lab. Not a theoretical risk. An active attack technique succeeding at scale, against real organizations, right now.

Welcome to the agentic AI security problem.

What Makes This Different From Every Threat Before It

I've spent 25 years in cybersecurity. I've watched threats evolve from simple viruses to nation-state campaigns to ransomware-as-a-service. What's different about the agentic AI threat isn't the sophistication of the attack — it's the speed and scope of the blast radius.

A human attacker who compromises a developer's credentials still has to operate manually. They move carefully, avoid detection, escalate privileges step by step. There are natural speed limits on what a human can do.

An AI agent doesn't have those limits. Once hijacked, it reasons, pivots, and escalates access autonomously — executing multi-step attack chains in the time it takes your security team to open a ticket. It can exfiltrate data, modify code, push commits, and access downstream systems before a single alert fires. We're talking about attacks that complete in seconds, not hours.

This is what OWASP flagged in their latest State of Agentic AI Security report: prompt injection now maps to six of their top ten vulnerability categories. Microsoft published a second version of their agentic AI failure-mode taxonomy, adding seven new categories drawn from a full year of red-team engagements — including tool abuse, excessive agency, and autonomy escalation. These aren't warnings about future risk. They're post-mortems from real incidents.

The Uncomfortable Truth About Your Current Security Posture

Here's what makes this particularly urgent for business leaders: your developers are almost certainly already using AI coding agents. GitHub Copilot, Cursor, Claude — these are mainstream tools now. And here's what the data shows: only 11% of production AI agents meet a baseline security bar.

That means roughly 89% of the AI agents operating in your environment right now have overprivileged access, weak credentials, insufficient monitoring, or some combination of all three. Your security team almost certainly has no accurate inventory of which agents exist, what they're authorized to do, or what data they can reach.

This isn't a technology problem. It's a governance problem. And it's happening right now, not at some future inflection point.

Three Things Business Leaders Should Do Immediately

I'm not going to pretend this is simple. But I can tell you what actually moves the needle.

First: take inventory. You cannot secure what you cannot see. Start by asking a simple question: what AI agents are operating in our environment right now? Who authorized them? What systems can they reach? Most organizations don't have answers to these questions. Get them.

Second: treat every AI agent like an employee, not a tool. Every agent should have a dedicated managed identity — not a shared API key. Its access should be scoped to exactly what it needs for its specific task. And that access should be audited the same way you audit privileged human accounts. The principle of least privilege applies to AI just as much as it applies to people.

Third: watch for prompt injection, not just traditional indicators. Your existing security tools look for known signatures, anomalous login behavior, and file system changes. They weren't built to detect an AI agent being manipulated through its input channels. You need to add monitoring specifically designed to detect when an agent is behaving in ways inconsistent with its defined task — taking actions it wasn't asked to take, accessing systems outside its scope, or generating outputs that don't match the workflow it was built for.

The Window Is Closing

I want to be honest about where we are. The tooling to defend against agentic AI attacks is still nascent. The frameworks are being written in real time — OWASP's report, Microsoft's taxonomy, the emerging MCP security standards. Organizations that start building governance and visibility now will be meaningfully ahead of those who wait.

But the threat is not waiting. Agentjacking works today. The 85% success rate isn't a projection — it was measured against real organizations this month.

The businesses that will come through this period intact are the ones that extend their security thinking — identity, access, monitoring, governance — to cover AI agents as first-class actors in their environment. Not as tools. Not as appliances. As autonomous agents that carry risk proportional to the access and trust they've been given.

If you're not sure where your organization stands, start with a conversation. We'll give you a straight answer.

Get Protected

Ready to strengthen your security?

TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.