Breaking the Agentic Sandbox
About This Session
AI coding agents are being deployed behind sandboxes, egress allowlists, and scoped filesystem access - and enterprises are calling it contained. This session proves otherwise with three original attack chains, each starting from a single indirect prompt injection and ending with full secret exfiltration or arbitrary code execution.
The attacker has zero prior access. No credentials, no malware, no endpoint compromise. Just a crafted GitHub issue that the agent is configured to read. From there, the agent does the rest - hijacked step-by-step into working on the attacker's behalf through a technique we call agentjacking.
We show a responsibly disclosed zero-day that escapes Claude Desktop's network sandbox entirely. A technique that exfiltrates stolen API keys and source code through an allowlisted package registry, indistinguishable from normal developer traffic. And an MCP configuration hijack that rewrites the agent's own trust chain — turning a verified tool into an attacker-controlled execution channel that delivers remote code execution, persistent access, and full secret exfiltration from inside a "secured" environment.
Every action is legitimate. Every destination is allowlisted. Every control in the path sees nothing. The failure is structural - not a bug in any single component, but a broken assumption about what containment means when the thing you're containing can reason.
The session closes with a practical hardening framework mapped to agent autonomy levels, so attendees leave knowing which controls actually matter for their deployment model.
All vulnerabilities responsibly disclosed. Live demos included.
The attacker has zero prior access. No credentials, no malware, no endpoint compromise. Just a crafted GitHub issue that the agent is configured to read. From there, the agent does the rest - hijacked step-by-step into working on the attacker's behalf through a technique we call agentjacking.
We show a responsibly disclosed zero-day that escapes Claude Desktop's network sandbox entirely. A technique that exfiltrates stolen API keys and source code through an allowlisted package registry, indistinguishable from normal developer traffic. And an MCP configuration hijack that rewrites the agent's own trust chain — turning a verified tool into an attacker-controlled execution channel that delivers remote code execution, persistent access, and full secret exfiltration from inside a "secured" environment.
Every action is legitimate. Every destination is allowlisted. Every control in the path sees nothing. The failure is structural - not a bug in any single component, but a broken assumption about what containment means when the thing you're containing can reason.
The session closes with a practical hardening framework mapped to agent autonomy levels, so attendees leave knowing which controls actually matter for their deployment model.
All vulnerabilities responsibly disclosed. Live demos included.
Speaker
Barak Sternberg
Co-Founder & CEO - Tenet Security
Barak Sternberg is CEO and co-founder of Tenet Security and previously founded Wild Pointer, a boutique cybersecurity firm serving Fortune-500 enterprises and startups. With 15+ years in offensive research and product security, Barak co-led Cisco’s GenAI security research initiative and has presented research at conferences including DEFCON, Hacktivity, ROOTCON, Blackhat and more. His work focuses on practical exploitation techniques and building defensive controls that scale to real engineering teams.