Agentjacking: fake Sentry errors hijack AI coding agents via MCP

What is this?

On June 9, 2026, Tenet Security’s Threat Labs published research describing “agentjacking”: a way to hijack AI coding agents by planting a fake error report in a service the agent trusts. The Cloud Security Alliance issued a corroborating research note on June 12, 2026. The attack chains two design decisions that are individually reasonable — Sentry’s open, unauthenticated event ingestion and the implicit trust an AI coding agent places in Model Context Protocol (MCP) tool output — into a path from “anyone on the internet” to “arbitrary code on a developer’s machine.” Tenet reports an 85% exploitation success rate across Claude Code, Cursor, and Codex, and identified at least 2,388 organizations with injectable credentials, 71 of them in the Tranco top one million. This article reports the published findings and defenses only; it contains no payloads or operational steps.

How it works

Sentry is a widely used error-tracking platform. To receive crash reports from browsers and mobile apps, it issues a DSN — a write-only public credential that Sentry deliberately documents as safe to embed in client-side JavaScript. By design, the ingest endpoint is unauthenticated: anyone holding a DSN can POST an event, and it lands in the project’s issue queue next to real crashes.

The attack uses that property. An attacker discovers a DSN (it sits in page source, public GitHub repos, or scanning indexes), then POSTs a crafted event whose fields are formatted as markdown — a fake ## Resolution section that, when the Sentry MCP server returns it, renders identically to Sentry’s own diagnostic templates. When a developer later asks their agent to “fix the unresolved Sentry issues,” the agent queries Sentry over MCP, receives the injected event, and cannot tell attacker-authored text from a genuine application error. It follows the planted instruction — running a command like npx [REDACTED-PACKAGE] --diagnose — with the developer’s own privileges. Tenet’s proof-of-concept package was benign and self-identified as a security scan; a real one would exfiltrate environment variables, AWS keys, GitHub/GitLab tokens, npm and Docker credentials, and Kubernetes tokens.

The core flaw is the one indirect prompt injection has highlighted for years: a model receives data and instructions as the same token stream and has no built-in way to separate them. Tenet notes the payload executed even when agents were explicitly instructed via system prompts and skills to ignore untrusted data — this is not a prompt-engineering fix.

Why it matters

What is novel here is not the exploit primitive but the scale and the blind spot. The attack bypassed EDR, WAF, IAM, VPN, and firewalls in tested configurations, because every step is authorized: a trusted process (the agent) runs a normal package-manager command using the developer’s own credentials. No binary is dropped, no policy is violated, no anomaly threshold is crossed. Tenet calls this the “Authorized Intent Chain,” and conventional controls are built to catch unauthorized behavior, of which there is none.

The bigger point is generalization. Sentry is not uniquely broken — it is an example. Any MCP-connected source that surfaces externally controllable content — issue trackers, ticketing systems, support queues, code-review comments, log aggregators — is the same injection class. Reviewing your MCP server binaries without examining the data those servers expose addresses only part of the surface. Unit 42 and Elastic have documented adjacent MCP vectors (sampling abuse, covert tool invocation, command injection in a large share of tested servers) throughout 2025–2026; agentjacking is the empirical confirmation.

Defenses

Require human confirmation before execution. Disable autonomous (auto-run) modes for any agent connected to an MCP server that surfaces external content, so package installs and shell commands need explicit approval. Pair this with developer awareness, since injected events are crafted to defeat confirmation fatigue.

Treat MCP data as untrusted input. Inventory which MCP servers your agents connect to and which return externally influenced data. Where the Sentry MCP integration is not operationally needed, disable it; where it is, constrain what the agent may do with its output.

Reduce the credential blast radius. Run agents in sandboxed, least-privilege environments with restricted file access, limited environment-variable visibility, and constrained egress — explicitly blocking cloud metadata endpoints. Replace long-lived tokens in developer environments with short-lived, scoped secrets.

Cut the entry point. Audit DSN exposure; rotate DSNs found in public bundles, repos, or scan indexes; and consider proxying client-side reporting through a server-side relay so the DSN never appears in browser code.

Govern and red-team. Apply MCP server authorization with the rigor of dependency review, and add tool-poisoning and MCP-delivered injection scenarios to agentic red-teaming — not just compromised-server-binary cases.

Status

This is published, defensively framed research, not a product CVE. Tenet disclosed to Sentry on June 3, 2026; Sentry acknowledged the same day but declined root-cause remediation, calling the class “technically not defensible” at the platform level and instead deploying a content filter against the specific payload string. The behavior was validated against Claude Code, Cursor, and Codex; all testing used only public Sentry ingest APIs, payloads self-identified as Tenet scans, and captured data was redacted at source and deleted. Because the platform owner considers source-level fixes infeasible, the practical control point is the agent’s runtime — the moment it decides to act. Source publication dates: Tenet Security, June 9, 2026; CSA Labs, June 12, 2026; The Hacker News coverage, June 2026.

This article covers published security research with a defensive framing. If your developers run AI coding agents wired to MCP integrations, treat every externally influenced data source as a potential injection path and require human approval before agents execute commands.