Fake Sentry error reports hijack AI coding agents into running attacker code
Tenet Security's Threat Labs demonstrated "Agentjacking," a new attack class that uses injected fake Sentry error events to trick AI coding agents like Claude Code and Cursor into executing attacker-controlled code on developer machines — with no authentication breach required and no security control catching it.
Score breakdown
The attack requires no exploit, no prior compromise, and no user error beyond normal workflow, meaning AI coding agents connected to external services via MCP are themselves an active attack surface that existing security controls do not catch.
- 01Tenet Security's Threat Labs named the attack class 'Agentjacking.'
- 02The attack requires only a public Sentry DSN credential found in any website's JavaScript source — no breach or stolen credentials needed.
- 032,388 organizations were found exposed via public DSNs.
Tenet Security's Threat Labs has published research on "Agentjacking," a new class of attack that hijacks AI coding agents by injecting malicious instructions into Sentry error events. Because Sentry's DSN credential is publicly embedded in the JavaScript source of production websites by design, an attacker can POST a crafted error event to any exposed Sentry project without breaching any system or stealing any credentials. When a developer asks their AI coding agent — such as Claude Code or Cursor — to investigate unresolved Sentry errors, the agent retrieves the injected event via the Sentry MCP server and treats it as authoritative system output. The malicious payload is disguised as a legitimate "Resolution" inside an ordinary error, causing the agent to interpret attacker-controlled instructions as diagnostic remediation steps and execute attacker-specified npm packages.
Tenet concludes that the only viable interception point is at the agent's runtime.
The research identified 2,388 organizations exposed through public DSNs, and in controlled testing more than 100 agents acted on injected errors, with confirmed agent execution at organizations spanning Fortune 500 enterprises to independent developers. The potential impact includes silent exfiltration of environment variables (AWS keys, GitHub tokens, Sentry auth tokens), git credentials, private repository URLs, and developer identity — all without credential phishing, prior server compromise, or any user interaction beyond normal workflow. The researchers characterize the root cause as a fundamental model-level limitation: AI coding agents cannot distinguish between data they are reading and instructions to act on, meaning the flaw cannot be patched away as a misconfiguration. Tenet concludes that the only viable interception point is at the agent's runtime.
Key facts
- 01Tenet Security's Threat Labs named the attack class 'Agentjacking.'
- 02The attack requires only a public Sentry DSN credential found in any website's JavaScript source — no breach or stolen credentials needed.
- 032,388 organizations were found exposed via public DSNs.
- 04100+ agents acted on injected errors in controlled testing, with confirmed execution at Fortune 500 enterprises and independent developers.
- 05Agents like Claude Code and Cursor receive injected Sentry events via the Sentry MCP server and treat them as trusted system output.
- 06Potential stolen data includes AWS keys, GitHub tokens, Sentry auth tokens, git credentials, and private repository URLs.
- 07The researchers describe the flaw as a model-level limitation — agents cannot distinguish data from instructions — not a patchable misconfiguration.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 13, 2026 · 08:58 UTC. How this works →