What Is Agentjacking?
AI coding agents have evolved far beyond autocomplete. Tools like Claude Code, Cursor, and Codex now read files, execute terminal commands, query external services, and make code changes autonomously. Through the Model Context Protocol (MCP), these agents connect to external services — including error-tracking platform Sentry — and treat the data returned as authoritative system output.
Agentjacking exploits exactly this trust relationship. An attacker uses a Sentry DSN — a public, write-only credential intentionally embedded in website JavaScript — to inject a crafted fake error event into a target's Sentry project. When a developer asks their AI coding agent to investigate open Sentry issues, the agent retrieves the injected event alongside real errors. Because the agent cannot distinguish real crash reports from planted ones, it follows the attacker's embedded instructions — executing attacker-controlled code with the developer's own system privileges.
The Attack Chain: Six Steps to Compromise
Step 1 — Find the DSN: Sentry DSNs are intentionally public, embedded in frontend JavaScript for crash reporting. Discovery methods include inspecting a website's source code, Censys internet scans, or GitHub code search.
Step 2 — Inject the event: POST a crafted error event to Sentry's ingest endpoint using only the DSN. No authentication is required. Sentry processes the event identically to a legitimate application crash.
Step 3 — Markdown injection: The injected event contains carefully structured Markdown in the message and context fields. When the Sentry MCP server returns this to the AI agent, the Markdown renders as structured content — headings, code blocks, tables — visually identical to Sentry's own system template, including a fake ## Resolution section.
Step 4 — Agent manipulation: When a developer asks their agent to "fix unresolved Sentry issues," the agent queries Sentry via MCP and receives the injected event. It cannot distinguish attacker content from legitimate guidance and follows the embedded instructions.
Step 5 — Code execution: The agent runs an attacker-specified npx command. The package downloads from the public npm registry and executes with the developer's full local privileges.
Step 6 — Data exfiltration: AWS keys, GitHub tokens, Sentry auth tokens, git credentials, private repository URLs, and CI/CD pipeline secrets are silently sent to the attacker's server — with no visible indication to the developer.
Tenet calls this the "Authorized Intent Chain." Every step in the attack chain is authorized behavior: Sentry operates as designed, the DSN is public by policy, the npm package downloads via standard channels, and the agent executes commands as part of its normal workflow. EDR, WAF, IAM, VPN, and firewalls detect nothing — because there is nothing unauthorized to detect.
Real-World Validation: What Tenet Found
This was not a theoretical exercise. Tenet's Threat Labs conducted controlled real-world validation:
- 2,388 organizations discovered with injectable DSNs via passive reconnaissance (Censys indexing, code search, CDN extraction). 71 ranked in the Tranco top-1 million domains.
- 100+ confirmed agent executions across real organizations — Claude Code, Cursor, and Codex all acted on injected errors.
- 85% exploitation success rate — even when agents were given explicit system prompts instructing them to ignore untrusted data.
- Exposed organizations spanned a Fortune 500 company ($250B+ parent), a $2B+ hosting infrastructure provider, a scientific computing firm, and — notably — a cloud security vendor.
In each case, the agent surrendered live cloud credentials, source-control tokens, and infrastructure access data. All captured material was redacted by Tenet; no systems were compromised beyond confirming exposure.
Tenet disclosed to Sentry on June 3, 2026. Sentry acknowledged the issue the same day but declined to fix it at the root, characterizing it as "not technically defensible" at the ingestion layer. Sentry added a global content filter blocking one specific payload string — treating a symptom, not the cause. The underlying attack surface remains open.
Beyond Sentry: A Systemic Problem
The researchers are clear that this is not a Sentry-specific vulnerability. The attack class applies wherever AI agents retrieve and act on externally-influenced data through trusted integrations. Support tickets, GitHub issues, documentation wikis, and any other MCP-connected data source with writable external interfaces carry the same risk class.
A separate recent incident — where an AI email agent was manipulated into leaking AWS keys — demonstrates the same underlying principle playing out across different integration types.
Mitigation Strategies
| Action | Description | Priority |
|---|---|---|
| Audit all MCP integrations | Map every external service your agent can query | High |
| Identify untrusted-data sources | Flag tools that return externally writable content | High |
| Minimize agent execution permissions | Apply least-privilege to what agents can run | High |
| Deploy MCP gateway proxy | Inspect and policy-gate all agent tool calls | Medium |
| Full agent execution logging | Track what each agent executes and why | Medium |
Microsoft's MSRC BlueHat 2026 presentation (video above) provides a practical framework for enterprise-grade MCP security governance, including gateway proxies, LLM-as-judge techniques, and quarantined model patterns.
Key Points
- Agentjacking hijacks Claude Code, Cursor, and Codex via fake Sentry error events — no malware, no breach required
- Achieves 85% agent exploitation success rate; 2,388 organizations confirmed exposed including Fortune 500 firms
- Attack bypasses all traditional security controls (EDR, WAF, IAM, VPN) because every step is authorized behavior
- Sentry declined to fix the root issue, calling it "not technically defensible" at the ingestion layer
- Risk extends beyond Sentry to any MCP-connected tool returning externally-writable data — the attack surface is systemic