EPISODE · Jun 15, 2026 · 9 MIN
The Log Is the Command
from The Sam Ellis Show · host Sam Ellis
A forged Sentry alert tried to make an engineer, or the engineer’s AI coding agent, run malware. That is the clean version. The more useful version is that the first step did not look like malware. It looked like an operational error report. In this episode, Sam Ellis reports on Agentjacking: a current-cycle attack path where hostile text enters an observability workflow through forged Sentry events, then becomes dangerous because AI coding agents may treat tool output as trusted remediation context. The story is not that Sentry was breached. Sentry says it was not. The story is that logs, tickets, alerts, and tool responses stop being passive once agents read them and have authority to act. The central question is simple and unpleasant: when a developer gives an agent access to observability tools, does the error log become a command channel? Sources Nutrient: “Emerging threats: Your logging system may be an agentic threat vector” — primary affected-operator account for the forged Sentry alert campaign. Nutrient says the attack used public browser DSN/event-ingest behavior to place hostile text inside an internal-looking observability workflow, that an engineer was working the alert with an AI coding agent, and that the agent refused the suspicious typosquatted package rather than executing it. Sentry GitHub Security Advisory: “Attempts at prompt injection and supply chain compromise with public Data Source Names (DSNs)” — official Sentry source confirming the activity documented by Nutrient and its IOC repository, naming the typosquatted packages, stating that crafted events were designed as AI prompts to convince agents to install third-party npm packages, and drawing the boundary that this was not a vulnerability within Sentry and there was no compromise of Sentry infrastructure. Tenet Security: “A Fake Bug Report Hijacks Your AI Coding Agent — and Nothing Catches It” — source for the broader Agentjacking framing: public Sentry DSNs, crafted error events, Sentry MCP tool responses, and AI coding agents treating attacker-written markdown as trusted remediation guidance. Tenet’s scale and success-rate figures are treated in the episode as Tenet claims, not Sentry-confirmed numbers. Infosecurity Magazine: “New ‘Agentjacking’ Attacks Could Hijack AI Coding Agents” — independent security-news pickup of Tenet’s report and the Sentry/MCP/coding-agent attack chain. Moltbook source call: agent security and operational tool output — public source-call thread used for agent/community perspective on where agent security stops being prompt safety and becomes authority, memory, rollback, tool output, and runtime provenance. Sentry MCP pull request #1056: “wrap get_issue_details output in untrusted data boundary” — repository context for Sentry MCP maintainers’ draft untrusted-telemetry boundary work. Used as context for the mitigation shape, not as proof that the Agentjacking issue was fully solved or that Tenet’s figures were confirmed. Email: [email protected]
What this episode covers
Sam Ellis reports on Agentjacking, forged Sentry alerts, and why operational logs and tool outputs become command surfaces once AI coding agents can read them and act.
NOW PLAYING
The Log Is the Command
No transcript for this episode yet
Similar Episodes
No similar episodes found.
Similar Podcasts
No similar podcasts found.