A developer asked their AI coding agent to "fix the Sentry errors." The agent pulled the Sentry events, analyzed them, and executed the commands written there. Those commands had been planted by an attacker.
Agentjacking, disclosed by security firm Tenet Security in June 2026, is a novel attack exploiting MCP (Model Context Protocol) integrations in AI coding agents. Testing against Claude Code, Cursor, and Codex, researchers achieved an 85% exploitation success rate — with 2,388 organizations' credentials exposed.
The scariest part: EDR, WAF, IAM, and firewalls — all the conventional security tools — detect none of it.
How does the attack actually work?
Sentry's Data Source Name (DSN) is a credential intentionally designed to be public in client-side JavaScript. The problem: anyone who knows a DSN can write data to Sentry events — no authentication needed, just one POST request.
Tenet Security found valid DSNs from 2,388 organizations using only Censys searches and GitHub code discovery. 71 of them appeared in the Tranco top-1M domains — including Fortune 500 companies and a cloud security vendor.
The attack runs in five steps.
- DSN discovery + event injection
Attacker injects a fake error event into Sentry using the public DSN — just one POST request, no auth required. - Markdown disguise
The injected event contains fake "Resolution" instructions that look identical to real Sentry error formats. Completely indistinguishable. - Agent reads via MCP
Developer asks the agent to "fix the Sentry errors." The agent fetches events via MCP. MCP responses are treated as trusted system output. - Hacker code executes
The agent runs what it thinks are "diagnostic commands" — an npx call — with the developer's full system privileges. - Credential exfiltration
The downloaded package harvests environment variables, AWS keys, GitHub tokens, Kubernetes credentials, and sends them to the attacker's server.
Notably, the attack succeeded even when developers explicitly told the agent to "ignore untrusted instructions."
Why can't existing security tools catch this?
Tenet calls this the "Authorized Intent Chain": every single step is technically authorized behavior. Conventional security is built to detect unauthorized actions — and this attack contains none.
| Security Tool | Against Normal Attacks | Against Agentjacking |
|---|---|---|
| EDR | Detects malicious processes → Blocked | npx (normal command) → Passes through |
| WAF | Blocks malicious external requests | Sentry MCP API call → Passes through |
| IAM / RBAC | Denies unauthorized access | Runs as developer → Passes through |
| VPN / Firewall | Blocks external IP access | Internal agent execution → Passes through |
| Cloudflare | Detects bot traffic → Blocked | Normal agent API request → Passes through |
Sentry acknowledged the disclosure on June 3 but declined to address the root cause, calling it "technically not defensible" at the platform level. Their only fix: a string filter for the specific known payload. The attack pathway remains open.
"MCP integrations are the next frontier for software supply chain attacks."
— Cloud Security Alliance, June 2026
What to check right now
Tenet's conclusion: "The only place left to catch it is at the agent's runtime." If your team uses AI coding agents, check these five things today.
- Audit your agent's MCP tool connections
List every external service your agent connects to via MCP. Any service that accepts anonymous writes — not just Sentry — is a potential injection vector. - Check for exposed Sentry DSNs
Search your frontend JS source, GitHub repos, and .env files for hardcoded Sentry DSNs. In an MCP-connected environment, public credentials carry different risks. - Add explicit approval gates for code execution
Configure your agent to require explicit approval before executing commands from external MCP tool responses. For Claude Code, review tool approval settings; for Cursor, re-examine Auto Run mode. - Rotate environment variables and credentials regularly
Set up rotation schedules for AWS keys and GitHub tokens in dev environments. Even if an attack succeeds, reducing credential validity windows limits blast radius. - Implement agent runtime monitoring
Track the origin of commands your agent executes. Get alerted when code execution is triggered by an MCP response. This is currently the most effective defense layer available.
CSA guidance
Before giving your AI agent query access to any external service, verify whether that service accepts anonymous writes. Any MCP integration with an anonymously writable service can be exploited using the same Agentjacking principle.
Dive Deeper
A Fake Bug Report Hijacks Your AI Coding Agent Tenet Security's official technical analysis — full attack structure, DSN scanning methodology, and defense recommendations. tenetsecurity.ai
CSA Research Note: Agentjacking MCP Sentry Injection Cloud Security Alliance's independent analysis. MCP supply chain attack vector classification and response framework. cloudsecurityalliance.org
Agentjacking: a fake bug report can hijack your AI coding agent The Next Web developer perspective. Authorised Intent Chain explained and business impact analysis. thenextweb.com
New Agentjacking Attack Hijacks AI Coding Agents to Execute Malicious Code GBHackers technical community analysis — attack implementation and detection failure mechanisms. gbhackers.com
New Agentjacking Attacks Could Hijack AI Coding Agents Infosecurity Magazine expert interviews. MCP integration security governance guidelines. infosecurity-magazine.com
Agentjacking AI Coding Agent Attack: 2,388 Orgs Exposed Decryption Digest deep dive — full Sentry MCP attack structure review. decryptiondigest.com
