Technical description
Tenet Security's Threat Labs disclosed 'Agentjacking' on June 11, 2026 — a novel attack class that injects crafted error events into Sentry (an app performance monitoring platform) using only the publicly-exposed Data Source Name (DSN) credential embedded in any website's JavaScript. When a developer asks their AI coding agent (Claude Code, Cursor, Codex) to 'fix unresolved Sentry issues,' the agent queries Sentry via the Sentry MCP server and receives the attacker's injected payload, rendered indistinguishably from legitimate Sentry remediation guidance. The agent then executes the attacker-controlled commands with the developer's full local privileges — no phishing, no authentication bypass, no compromise of target infrastructure required.
Attack vector
Attacker obtains a target organisation's Sentry DSN from public JavaScript source code; POSTs a crafted error event containing malicious markdown instructions to Sentry's unauthenticated ingest endpoint; the event is returned via MCP as trusted system output; the AI coding agent executes the payload (e.g., malicious npm package) without user interaction. The attack bypasses EDR and WAF because all network traffic is authorised and all file operations are signed by the developer process.
Affected systems
Claude Code, Cursor, and OpenAI Codex when integrated with Sentry via MCP. Tenet confirmed 85% success rate across 100+ real-world targets; 2,388 organisations found with injectable public DSNs. Any organisation using AI coding agents connected to Sentry via MCP is exposed.
Mitigation
Immediate: (1) Audit all MCP server integrations for tools that return external/third-party data and disable Sentry MCP until controls are in place. (2) Enforce human-in-the-loop approval gates before agents execute code or install packages. (3) Rotate Sentry DSNs and consider backend proxy auth for MCP ingest. Medium-term: Implement MCP tool response provenance labelling and agent sandboxing that prohibits code execution from telemetry-sourced data.