Agentjacking: How Fake Bug Reports Hijack AI Coding Agents — Plus Gemini CLI Dies Today

June 18, 2026 — and the AI security landscape just got a lot more interesting. A new attack called Agentjacking can hijack your AI coding agent using nothing but a fake bug report. No phishing. No malware. No server compromise.

Meanwhile, Google is pulling the plug on Gemini CLI today, Oxford researchers are warning that frontier labs have lost oversight of their own AI agents, and Gartner is officially recognizing “Agentic Coding Security” as a thing.

Let’s get into it.

Agentjacking: Your Error Monitoring Is Now an Attack Vector

This is the big one today. Researchers from Tenet Security published a new attack class called Agentjacking that tricks AI coding agents — Claude Code, Cursor, and others — into executing arbitrary code on developers’ machines. The attack uses fake Sentry error reports.

Here’s the chain:

  1. Attacker finds your Sentry DSN (public, write-only credential — often embedded in websites)
  2. Attacker POSTs a malicious error event to Sentry’s ingest endpoint
  3. The injected event contains carefully formatted markdown with attacker-supplied commands disguised as a “Resolution” section
  4. Developer asks their AI agent to “fix unresolved Sentry issues”
  5. Agent queries Sentry via MCP, receives the malicious event, and executes the attacker’s code with the developer’s full privileges

No breach required. No phishing. The attacker never touches your infrastructure.

The numbers are sobering:

  • 2,388 organizations found with injectable DSNs
  • 85% exploitation success rate across major AI coding assistants
  • 100+ successful agent executions in controlled tests

Sentry’s response? They acknowledged the issue is “technically not defensible” and activated a global content filter for a “specific payload string.” That’s not a fix. That’s a band-aid on an architectural wound.

Why this matters: This is the first major attack that exploits the trust boundary between AI agents and their tool integrations. The agent can’t distinguish between legitimate Sentry data and attacker-injected content because MCP returns both as “trusted system output.” Every observability platform with an MCP server is now a potential injection point.

Abstract cybersecurity attack visualization showing malicious code flowing through a data pipeline

Oxford + SaferAI: Frontier Labs Have Lost Oversight of Their Own Agents

On the research side, the University of Oxford and SaferAI published an analysis (arXiv: 2606.13474) examining what happens when AI agents write a lab’s own code — with minimal human review.

They applied safety analysis methods from aviation, nuclear power, and chemical plants to frontier AI labs (modeled on public disclosures from Anthropic, OpenAI, and Google DeepMind). The findings are uncomfortable:

Unowned responsibilities. Multiple critical control actions — power to pause a model, maintain access policies, assess catastrophic risk — have no publicly named owners. California’s SB 53 legally requires catastrophic-risk assessment, yet no external party can identify who’s accountable.

Monitoring lag. OpenAI monitors ~99.9% of internal coding traffic, but reviews arrive ~30 minutes after sessions end. Risk scores show up after pull requests are merged. By the time the monitor flags something, the code is already in production.

Compromised human review. Agents submit code with their own explanations of what they did and why. Reviewers tend to align with the agent’s stated intent. Over time, agent-written code, tests, and docs become the reference material for both future agent tasks and human reviewers — embedding any consistent blind spots into the baseline.

Safety drift. Permission exceptions accumulate. Monitoring rules that rarely trigger get trimmed. Static review requirements stay in place despite rising pull request volume. All driven by productivity pressures and growing trust in agents.

The authors recommend a two-tier disclosure model: public safety reports with aggregated indicators, and full operational data for designated auditors like national AI safety institutes.

Google Kills Gemini CLI — Long Live Antigravity

Today is the day. Google is shutting down Gemini CLI and Gemini Code Assist IDE extensions for free-tier, AI Pro, and AI Ultra users. The replacement? Antigravity CLI — a closed-source tool that Google says is “the future of AI-assisted development.”

Gemini CLI was open-source. It had a thriving community. Antigravity is none of those things.

The migration path is straightforward if you’re an enterprise customer with a Google Cloud deal. Everyone else gets to figure it out themselves.

Why this matters: Google is betting that the future of AI coding tools is tightly integrated with its cloud ecosystem. Open-source is fine until it competes with your paid product. The message is clear: if you’re not paying Google for AI, Google doesn’t want you using its AI.

For the broader ecosystem, this is a reminder that “open-source” from a big tech company is always provisional. The moment it conflicts with monetization, the license doesn’t save you.

Abstract multi-agent collaboration with glowing data streams between geometric shapes

Databricks Launches Genie One: Agentic Coworkers for Every Team

While Google is taking things away, Databricks is adding. Genie One is a new “agentic coworker” platform that lets business teams — finance, marketing, sales, operations — build and share AI agents grounded in their corporate data.

The pitch is simple: instead of every team building their own AI tools from scratch, Genie One gives them a shared platform with Unity Catalog governance baked in. Build an agent once, share it across the org, and it stays within your data permissions.

The enterprise angle: Databricks is positioning itself as the “agent layer” for the enterprise data stack. If your data lives in Databricks, your agents should too. It’s a land play — get the agents in, expand the data platform footprint.

Gartner Recognizes “Agentic Coding Security” as a Category

In a sign of the times, Gartner’s 2026 Hype Cycle for Secure Software Engineering officially includes Agentic Coding Security as an emerging category rated “High benefit.” Multiple vendors — Legit Security, OX Security, Secure Code Warrior, Arnica — are named as sample vendors.

This is the security industry formally acknowledging that AI coding agents aren’t just a productivity tool — they’re a new attack surface that needs its own security category. The Agentjacking research dropped the same week Gartner published this. The timing is almost too perfect.

AI Coding Agents Break 80% on SWE-Bench Pro

The benchmarks keep climbing. As of June 2026, multiple AI coding agents have surpassed 80% on SWE-Bench Pro, with Claude Fable 5 leading at 80.3% and Claude Mythos 5 hitting 95.5% on SWE-Bench Verified.

For context: SWE-Bench Pro is the harder version of the benchmark. It tests agents on real-world software engineering tasks from actual GitHub repositories — not toy problems. Passing 80% means the agent can autonomously resolve 4 out of 5 real bugs and feature requests.

But remember the MIT study: agents write 180% more code but ship only 30% more software. Writing code was never the bottleneck.

Futuristic data center rack with glowing server blades and fiber optic cables

The Big Picture

Today’s news traces a single thread: AI agents are becoming critical infrastructure, and we’re not ready.

Agentjacking proves that the trust model between agents and their tools is broken. Oxford’s research shows that frontier labs are losing oversight of the agents writing their own code. Gartner is creating a new security category because the old ones don’t cover this. Google is consolidating its AI tools into a closed ecosystem. And the agents keep getting better at writing code that nobody has time to properly review.

The spaghetti is tangling fast. 🍝


Affiliate links: If you’re looking for AI coding tools, check out Cursor and GitHub Copilot. For self-hosted AI, Ollama is still the easiest way to run models locally.