Author: Ron Bobrov, Barak Sternberg, Nevo Poran
Published: June 9, 2026
Source: https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/
Summary
Researchers at Tenet Security describe “Agentjacking,” an indirect prompt-injection attack class in which a malicious error event is planted in a victim’s Sentry error-tracking project and later read by an AI coding agent. Because the agent cannot distinguish data it retrieves from instructions it must follow, the crafted error content is interpreted as a legitimate “resolution” step and the agent runs attacker-supplied commands with the developer’s own privileges. The technique requires no authentication beyond a publicly exposed Sentry DSN, and the researchers report wide real-world exposure.
Technical Details
Sentry’s event-ingest endpoint accepts error events authenticated only by a project’s DSN (client key), which is frequently embedded in front-end source and therefore publicly discoverable. An attacker harvests an exposed DSN and POSTs a forged error event whose fields contain markdown-formatted text. When a developer later asks an AI coding agent (the article names Claude Code, Cursor, and Codex) to investigate Sentry issues — typically via the Sentry MCP server integration — the agent fetches the forged event as part of the tool response. The injected markdown renders as a convincing “Resolution” section that instructs the agent to run a command such as an npx invocation. The root cause is not a memory-safety or platform bug but a trust-boundary failure: the agent treats MCP tool output as trusted instruction rather than untrusted external data, so injected content is acted upon directly. No CVE is associated with the disclosure.
Impact
Because the injected command executes in the developer’s local context, an attacker can reach whatever that environment exposes — AWS credentials, GitHub tokens, environment variables, git credentials, Kubernetes tokens, and private repository URLs. Tenet reports identifying 2,388 exposed organizations (71 of them in the Tranco top-1M) and observing 100+ confirmed agent executions across real targets ranging from independent developers to Fortune 500 enterprises. The article frames these figures as the researchers’ own measurements; they are not independently verified here.
Mitigation
According to the article, Sentry declined a root-cause fix, characterizing the issue as “technically not defensible” at the platform level, and instead added a content filter that blocks specific payload strings — a measure the researchers consider incomplete because it does not address the underlying trust problem. The authors argue the only durable control point is at the agent runtime: treating all MCP/tool output as untrusted, requiring explicit human confirmation before an agent executes commands derived from external data, and constraining the credentials and capabilities available in developer environments. Rotating or restricting publicly exposed Sentry DSNs reduces the attacker’s entry point but does not by itself close the injection path.