AI coding agents just became an attack surface. Tenet Security calls the new technique Agentjacking: attacker-crafted Sentry error events that convince agents like Claude Code and Cursor to execute arbitrary code on developer machines.
What is Agentjacking?
Agentjacking is a class of attacks that abuses Sentry, the open-source error-tracking and performance platform, to deliver malicious instructions that AI coding agents treat as trusted guidance. The trigger is a fake error report filed into Sentry and retrieved by an agent through the Model Context Protocol (MCP).
“The attack exploits a critical architectural flaw at the intersection of Sentry’s event ingestion (which accepts arbitrary payloads from anyone with the DSN) and the Sentry MCP server (which returns this data to AI agents as trusted system output),” researchers Ron Bobrov, Barak Sternberg, and Nevo Poran said.
Because agents implicitly trust external services accessed via MCP, they can’t reliably tell a legitimate crash report from an injected one. That confusion creates a pathway to arbitrary code execution when the agent processes the response.
How the attack works
- An attacker finds a target’s Sentry Data Source Name (DSN), a public, write-only credential embedded in websites.
- The attacker sends a malicious error event to Sentry’s ingest endpoint via POST using that DSN.
- The injected event includes carefully formatted markdown in the message field and context key names. When the Sentry MCP server returns this event to an AI agent, it renders as structured content that looks identical to Sentry’s system template.
- When a developer asks their AI coding agent to “fix unresolved Sentry issues” (or similar), the agent queries Sentry via MCP and receives the malicious event.
- The agent executes the attacker’s code with the developer’s full privileges.
“The attacker never touches the victim’s infrastructure. The malicious instruction arrives disguised as a legitimate ‘Resolution’ inside an ordinary error. When a developer asks their AI agent to fix the Sentry issue, the agent reads the attacker’s command as trusted guidance and runs it — with the developer’s own privileges, on the developer’s own machine.”
Why it matters
A successful Agentjacking attack can expose environment variables, Git credentials, private repository URLs, and developer identities — without phishing, prior server compromise, or traditional intrusion.
Tenet Security reported at least 2,388 organizations exposed with valid injectable DSNs. In controlled testing against more than 100 organizations, the team achieved an 85% exploitation success rate on injected errors across widely used AI coding assistants.
Vendor response
Sentry acknowledged the issue but chose not to fix it, stating it is “technically not defensible.” The company has enabled a global content filter that blocks a “specific payload string.”
The bottom line
“As enterprises race to deploy AI coding agents, this research proves the agents themselves are now the attack surface — turned against the developers who trust them, using nothing but data those organizations publish about themselves,” Tenet said. “The attack bypasses EDR, WAF, IAM, VPN, Cloudflare, and firewalls — because there is nothing malicious to detect. Every action in the chain is authorized.”
Reference: View article