A developer opens their AI coding agent and types a routine request: "fix the unresolved Sentry issues." The agent queries Sentry through its MCP connector, pulls back an error event, and gets to work. Nothing about the request looks unusual. But the error event itself was never generated by a real crash — it was submitted by an attacker directly to Sentry's public ingest endpoint, formatted to look like structured system output. The agent reads it, follows the embedded instructions as if they came from the developer, and executes the attacker's code with the developer's full local privileges. No phishing email, no malicious download, no click required. The attack is called Agentjacking, and researchers who disclosed it in June 2026 found at least 2,388 organisations exposed with injectable configurations, testing successfully against more than 100 of them with an 85% exploitation rate across some of the most widely used AI coding assistants on the market.
Agentjacking is not an isolated exploit against one product. It is a demonstration of a structural weakness in how AI agents are built: they cannot reliably tell the difference between an instruction from their user and an instruction hidden inside data they retrieve on that user's behalf. Every business deploying an AI agent that reads tickets, emails, documents, search results, or API responses is running the same architecture that made Agentjacking possible — whether or not it has been tested against it yet.
How the attack works
The attacker sends a POST request to a public Sentry ingest endpoint containing a fabricated error event. The message field and context keys are formatted with markdown that renders — when returned through the MCP server to the AI agent — as content visually and structurally identical to Sentry's own system output. The agent has no reliable way to distinguish "data returned by a tool" from "instructions from my operator," so it treats the injected text as a legitimate command and executes it.
Why This Is Bigger Than AI Coding Assistants
The reason Agentjacking travelled fast through security research circles is that the underlying flaw — indirect prompt injection through tool output — applies to any agent architecture where an AI model consumes content it did not itself author and treats that content as trustworthy. A customer service agent that reads inbound support tickets is vulnerable if a ticket can contain formatted text designed to look like an internal system directive. A document-processing agent that extracts data from uploaded PDFs is vulnerable if a PDF can embed instructions in metadata or hidden text. A research agent that browses the web on your behalf is vulnerable to any page it visits. The attack surface is not "AI coding tools" — it is every integration point where an agent hands external content back to the model as part of its own reasoning.
This is precisely why security researchers describe AI-powered defensive agents — tools built to catch malicious code, triage alerts, or run automated penetration tests — as the most dangerous category to get this wrong. An agent with shell access, credential access, and system-modification permissions that can be redirected by content it reads is not a productivity tool with a bug. It is a fully privileged attacker with a legitimate login, and it will follow injected instructions exactly as faithfully as it follows real ones.
A Realistic Scenario: The Support Agent That Escalated Itself
Consider a mid-sized SaaS company that deployed an AI agent to triage inbound support tickets: categorise the issue, pull relevant account data from the CRM, and either resolve simple requests directly or escalate complex ones to a human with a summary. The agent had read access to the CRM and the ability to issue account credits up to a defined threshold without human approval — a reasonable-sounding permission, scoped to reduce response time on refund requests. An attacker submitted a support ticket containing what looked like a routine billing complaint, with additional text formatted to resemble an internal escalation note: instructions telling the agent to treat the account as VIP-tier and issue the maximum allowed credit immediately, then mark the ticket as resolved without human review. The agent, unable to distinguish the embedded instruction from a legitimate system note, complied. The company caught the pattern three days later during a routine reconciliation, after the same technique had been used against six other accounts.
Nothing about this scenario required a sophisticated attacker or a zero-day exploit. It required an agent with a permission that made business sense in isolation, no verification step between "instruction found in customer-submitted content" and "action taken," and no anomaly monitoring on the agent's own behaviour. This is the pattern behind nearly every agent-related incident reported in 2026: not a flaw in the model, but a gap in the scaffolding around it.
The Defence Framework: Treat Every Agent Like a Privileged Account
The fix for indirect prompt injection is not a smarter model — no model reliably distinguishes trusted instructions from injected ones with 100% accuracy, and treating that as solvable is how organisations end up exposed. The fix is architectural, and it mirrors how security teams have handled privileged human accounts for decades.
- Least-privilege scoping — every agent gets the minimum permissions required for its task, not the permissions that are convenient. An agent that reads support tickets does not need write access to billing systems by default.
- Human approval on consequential actions — any action with financial, legal, or irreversible impact (credits, refunds, deletions, external communications, code deployment) routes through a human checkpoint, regardless of how routine the agent judges it to be.
- Content provenance separation — tool outputs, retrieved documents, and third-party content are architecturally tagged as untrusted data, never merged into the instruction context in a way the model treats as operator commands.
- Anomaly monitoring on agent behaviour — baseline what "normal" activity looks like for each agent and alert on deviation, the same way you would monitor a service account with elevated access.
- Audit logging with replay capability — every agent action is logged with enough context to reconstruct exactly what data the agent saw and why it acted, so an incident can be diagnosed in hours, not weeks.
None of this requires abandoning agent automation — it requires designing it the way you would design access for a new hire with broad system permissions and no track record yet. The organisations that avoided the worst outcomes from Agentjacking-style attacks in 2026 were not the ones with the most advanced models. They were the ones that had already scoped their agents' permissions defensively, before an incident forced the question.
Where Wizeb Comes In
Wizeb builds AI agents with the assumption that every piece of content an agent reads is a potential attack vector, not an afterthought bolted on after deployment. Every agent we deploy is scoped to least-privilege permissions from day one, with consequential actions routed through explicit approval gates and full audit logging on every decision. Where clients are running agents built elsewhere, we run a dedicated AI agent security audit: mapping every tool connection and permission the agent holds, testing its resilience against indirect prompt injection using the same techniques disclosed in the Agentjacking research, and delivering a prioritised remediation plan that closes the highest-risk gaps first.
Agentjacking will not be the last indirect prompt injection technique disclosed this year — it is a structural weakness in how agents consume external content, and new variations will keep surfacing as agents get deployed into more systems. The organisations that stay ahead of it are the ones that architect for it now, rather than waiting for their own incident. Visit wizeb.com/services/ai-agents to have your agent permissions and tool integrations audited before an attacker finds them first.
Audit your AI agents before an attacker does
Wizeb's AI agent security audit tests your deployed agents against the indirect prompt injection techniques behind Agentjacking and related 2026 disclosures, maps every permission and tool connection to its actual risk, and delivers a prioritised remediation plan. Most audits surface at least one over-permissioned agent capable of consequential action without human review. Visit wizeb.com/services/ai-agents to start the conversation.
