Agentjacking: a fake Sentry bug report hijacks your AI coding agent — 85% success rate, 2,388 organizations exposed

Tenet Security published "Agentjacking" on June 12 — a new attack class that exploits a structural mismatch between Sentry's open error-event ingestion and the Sentry MCP server used by AI coding agents. It bypasses EDR, WAF, IAM controls, VPN, and firewalls entirely because every action in the chain is technically authorized. Tenet calls this the Authorized Intent Chain: the prevailing security model catches unauthorized behavior; this attack contains none.

The flaw. A Sentry DSN (the credential embedded in your error-tracking SDK) is write-only and public by design — it must be embedded in browser JavaScript to capture errors, meaning anyone who finds it can POST error events to your Sentry project. The Sentry MCP server, which developers install so AI agents can query their error backlog, returns those events as trusted system output — indistinguishable from legitimate application errors. An attacker who posts a fake error event can inject any instruction into the context your agent consumes when you ask it to "fix open issues."

Testing results. Tenet identified 2,388 organizations with exposed, injectable Sentry DSNs (71 in the Tranco top one million). Across controlled validation, they achieved an 85% exploitation success rate — agents including Claude Code, Cursor, and Codex acted on injected errors and executed attacker-controlled commands with developer privileges. Exfiltrated material included AWS keys, GitHub tokens, Sentry auth tokens, git credentials, and private repository URLs.

Sentry's response. Disclosed June 3; Sentry acknowledged the same day but implemented only a content filter blocking the specific payload string used in Tenet's research. The underlying problem — unauthenticated write access combined with trusted-output retrieval — remains open. Sentry described the attack class as "technically not defensible" at the platform level.

Immediate actions. If you use Sentry with the Sentry MCP server in a coding agent context: (1) rotate AWS keys, cloud credentials, and tokens your agent has had access to; (2) audit Sentry DSN exposure (look for SENTRY_DSN env vars, sentry.init() calls, bundled browser JS); (3) consider removing the Sentry MCP server from your agent config until write authentication is addressed.

Sources: Tenet Security: Agentjacking, The Hacker News, The Next Web, CSA Research Note, Infosecurity Magazine