Agentjacking: Fake Sentry Error Reports Hijack AI Coding Agents Into Running Attacker-Controlled Code

Tenet Security (disclosed June 12, 2026) demonstrated that Sentry's public write-only Data Source Name (DSN) credential — embedded in website JavaScript by design — can be abused by any attacker to POST a crafted fake error report containing hidden markdown instructions. When a developer asks Claude Code, Cursor, or Codex to 'fix unresolved Sentry issues' via the Sentry MCP server, the agent retrieves the poisoned event and executes the attacker's commands with the developer's own system privileges. No authentication, no breach of the target, and no malware delivery is required. Tenet confirmed an 85% exploitation success rate across tested agents, identified 2,388 organizations with injectable DSNs, and observed confirmed code execution at Fortune 500 and cloud-provider targets. Sentry deployed a content filter blocking only the specific tested payload string; the underlying DSN injection pathway remains architecturally intact.

This is a novel agentic attack class that exploits implicit MCP trust: an AI coding agent cannot distinguish legitimate error data from attacker-injected instructions, so it executes arbitrary commands with full developer privileges — exfiltrating environment variables, AWS/cloud keys, Git credentials, and private repository URLs. Every EDR, WAF, IAM, VPN, and Cloudflare control is blind to the attack because all actions run under the developer's authorized session. The blast radius is any organization whose developers use Claude Code, Cursor, or Codex with the Sentry MCP integration — Tenet confirmed 2,388 such organizations in public data alone.

Attacker POSTs a crafted HTTP error event to the target's public Sentry DSN containing hidden markdown instructions in the 'Resolution' or message fields. When the developer asks their AI coding agent to investigate Sentry errors, the Sentry MCP server returns the poisoned event as trusted context, and the agent executes the embedded commands on the developer's machine.

Claude Code, Cursor, and Codex AI coding agents with Sentry MCP server integration; any organization using Sentry DSNs in public-facing applications

Treat all MCP server output as untrusted; disable Sentry MCP integration or sandbox agent tool invocations behind human approval. Rotate any credentials exposed in developer environments. Sentry's current mitigation (content filter on specific payload string) does not close the structural vulnerability. See: https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors