Fake Sentry bug reports hijack Claude Code, Cursor, and Codex into running attacker code

Tenet Security has disclosed a novel attack class called "Agentjacking" that requires no malware, stolen credentials, or direct breach of a target system. The attack exploits Sentry's public DSN key — which any app can post error reports to by design — to inject a fake bug report containing a hidden "Resolution" section formatted to mimic Sentry's own advice. When a developer instructs their AI coding agent to fix unresolved Sentry issues, the agent reads the report through the Model Context Protocol and, treating the response as trusted, executes the attacker's embedded command using the developer's own privileges on the developer's own machine.

In controlled tests, the attack achieved an 85% success rate across Claude Code, Cursor, and Codex.

In controlled tests, the attack achieved an 85% success rate across Claude Code, Cursor, and Codex. Tenet identified 2,388 exposed organisations, ranging from a $250bn enterprise to solo developers and at least one cloud-security vendor. The potential damage is severe: a single injected error report can expose environment variables, AWS keys, GitHub tokens, git credentials, private repository URLs, and from there, CI/CD pipelines and cloud infrastructure. Critically, the attack bypasses EDR, firewalls, IAM, and VPNs because nothing in the chain is technically unauthorised — Tenet calls this the "Authorised Intent Chain." Prompt-level defences also failed; agents ran the attacker's code even when explicitly told to ignore untrusted data.

Tenet notified Sentry on 3 June, but Sentry declined to fix the issue at the root, describing it as "technically not defensible," and instead added a filter to block one specific payload string. Tenet notes the underlying risk is not limited to Sentry — the same attack surface exists wherever agents consume outside data, including support tickets, GitHub issues, and documentation. A separate test referenced in the article also phished an AI email agent into leaking AWS keys, underscoring that the problem is systemic to how agents handle external input.

Key facts

1. 01Tenet Security disclosed the attack, which they named 'Agentjacking,' targeting AI coding agents via fake Sentry error reports.
2. 02Sentry's public DSN key requires no password, allowing anyone to POST a fake error report to any app's Sentry endpoint.
3. 03The fake report hides a malicious command in a 'Resolution' section formatted to look like legitimate Sentry advice.
4. 04Agents read Sentry data via the Model Context Protocol and treat the response as trusted, executing the embedded command.
5. 05The attack achieved an 85% success rate in controlled tests against Claude Code, Cursor, and Codex.
6. 06Tenet found 2,388 exposed organisations, including a $250bn enterprise and a cloud-security vendor.
7. 07The attack bypasses EDR, firewalls, IAM, and VPNs, and succeeded even when agents were told to ignore untrusted data.
8. 08Sentry declined to fix the root cause, calling it 'technically not defensible,' and only blocked one specific payload string.

Topics