Agentjacking: How a Fake Bug Report Hijacks AI Agents

What happened?

Security researchers at Tenet Security have identified an attack technique called Agentjacking, which allows hijacking AI coding agents (such as GitHub Copilot, Amazon Q Developer, or Cursor) by injecting a fake bug report. The attack requires no malware, stolen passwords, or breach of the target system. It is enough for the developer to ask their agent to fix an apparent bug, and the agent unknowingly executes malicious code. According to Tenet Security's report, shared with The Next Web, the attack exploits the agents' ability to read and act on bug reports, turning them into attack vectors without needing to compromise the developer's environment beforehand.

Why is it important?

This attack exploits the trust developers place in AI agents for routine tasks. Unlike traditional vulnerabilities, Agentjacking does not require privileged access: the agent acts as the attack vector. The technique demonstrates that coding assistants can be manipulated to introduce backdoors, steal secrets, or compromise the development environment. With the growing adoption of autonomous agents in companies, the risk of software supply chain attacks multiplies. In fact, a 2024 GitHub study indicated that 46% of developers already use AI assistants daily, and that number is expected to rise. Agentjacking could affect millions of developers and companies that rely on AI-generated code, especially startups integrating these agents into their CI/CD pipelines.

How does it work?

The attack relies on AI agents' ability to read and act on bug reports. An attacker creates a fake report describing a bug in the developer's code. When the agent tries to fix it, the report contains hidden instructions that the agent interprets as part of the solution. For example, the report may indicate that the solution requires downloading a dependency from a malicious URL or modifying an environment variable. Since agents often have permissions to execute commands and access files, the attacker achieves remote control undetected. Tenet Security demonstrated the attack against Cursor, Amazon Q Developer, and GitHub Copilot, showing all three were vulnerable. In Copilot's case, the agent executed shell commands that downloaded a malicious payload. The technique is especially dangerous because the bug report can come from a public GitHub issue or a support channel, and the agent processes it automatically without verifying the source.

Consequences for companies and developers

Agentjacking poses a direct threat to software integrity. Companies using AI agents to generate or modify code could have deliberate vulnerabilities introduced. Moreover, the attack can go unnoticed in code reviews because the modifications appear legitimate. Developers must be aware that agents are not infallible and that human validation remains critical. According to Tenet Security, the attack could be used to steal API tokens, credentials, or even modify an application's business logic. For companies, the economic impact could be significant: a backdoor in a SaaS product could compromise data from thousands of customers, as happened in the SolarWinds attack, which cost over $4 billion in losses. Although Agentjacking has not been exploited in the wild, its potential is high due to the rapid adoption of AI agents in development environments.

What should readers know?

• Don't trust blindly: All AI-generated code should be manually reviewed, especially if it comes from external instructions like bug reports. Peer review remains essential.
• Limit permissions: Configure agents with the least privilege necessary; avoid giving them unrestricted access to the file system or network. For example, restrict the ability to execute shell commands or download files.
• Validate sources: Bug reports should come from official channels and be verified before an agent acts on them. Implement whitelists of trusted sources.
• Monitor behavior: Implement anomaly detection systems for agent actions, such as execution logs and alerts on unexpected code changes.
• Update security policies: Include AI agents in the organization's threat model. Conduct periodic audits of agent actions.

Historical context

This attack resembles supply chain attacks like SolarWinds, but with a key difference: the attack vector is the AI assistant itself. While previous attacks compromised libraries or development tools, Agentjacking exploits the agent's autonomy. It is a reminder that security must evolve alongside AI adoption. In 2023, researchers at Stanford University showed that large language models could be tricked into generating vulnerable code through prompt injection. Agentjacking takes this a step further by exploiting the developer's natural workflow. Compared to the CodexPrompt attack (2024), where malicious instructions were injected into code comments, Agentjacking uses bug reports, a vector harder to detect because reports are a legitimate source of information for agents.

Verdict

Agentjacking is a serious vulnerability that requires immediate attention. Although no cases have been reported in the wild, the technique is feasible and likely to be exploited. Developers and companies must act proactively to mitigate the risk. Tenet Security has recommended that agent providers implement sandboxing and input validation, but in the meantime, the responsibility falls on users. AI security is not just a technical problem but also one of processes and culture. As Bruce Schneier said: 'Security is a process, not a product.' Agentjacking reminds us that trust in AI must be accompanied by robust security measures. Companies integrating coding agents should treat this threat with the same seriousness as an SQL injection or cross-site scripting attack. The question is not if it will happen, but when.