Agentjacking Hijacks AI Coding Agents via Sentry MCP Injection

AI coding assistants have become a fixture in developer workflows, but a new attack class exposes a fundamental flaw in how these tools trust external data. Researchers at Tenet Security published findings this week on Agentjacking, a technique that manipulates AI agents into executing attacker-controlled code without touching the victim's infrastructure at all.

The attack exploits the intersection between Sentry's error ingestion system and the Model Context Protocol (MCP) that AI agents use to interact with external services. Because Sentry accepts arbitrary payloads from anyone with access to a Data Source Name (DSN)—a public, write-only credential embedded in client-side code—attackers can inject malicious instructions that AI agents interpret as legitimate error remediation guidance.

How the Attack Works

The exploitation chain requires minimal effort. Attackers first locate a target organization's Sentry DSN, which is often exposed in public JavaScript bundles. They then craft a malicious error event containing markdown-formatted instructions in the message body or context fields. When a developer later asks their AI coding agent to "fix unresolved Sentry issues," the agent retrieves the injected event through the Sentry MCP server and interprets the payload as trusted diagnostic guidance.

The injected markdown renders identically to legitimate Sentry system templates, making it indistinguishable from authentic error messages. Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran documented an 85% exploitation success rate across major AI coding assistants during testing.

Tenet identified at least 2,388 organizations with valid injectable DSNs during their research, spanning solo developers to Fortune 500 enterprises.

Affected Platforms

The vulnerability impacts any AI coding assistant that integrates with Sentry through MCP, including Claude Code and Cursor. The risk extends beyond Sentry—any MCP tool integration returning externally influenced data to an AI agent creates the same vulnerability class. This echoes concerns raised in recent research on prompt injection in AI agent frameworks we covered last week.

The attack bypasses traditional perimeter defenses entirely. EDR, WAF, IAM policies, VPNs, and firewalls offer no protection because the malicious instruction arrives as ordinary error guidance within trusted system output. The attacker never touches the victim's infrastructure directly.

Potential Impact

Successful exploitation grants attackers full developer privileges on the local machine. This includes access to environment variables, Git credentials, private repository URLs, and developer identities—everything needed to pivot into broader supply chain attacks.

For organizations concerned about supply chain security, Agentjacking represents a new attack surface that traditional security tooling doesn't address.

Vendor Response

Tenet disclosed the findings to Sentry on June 3, 2026. Sentry acknowledged the issue the same day but declined to implement a root fix, describing the attack class as "technically not defensible" at the platform level. The company did activate a global content filter blocking a specific payload string used in the proof-of-concept, though researchers note this provides limited protection against slightly modified attacks.

Recommended Mitigations

Organizations using AI coding agents with external integrations should implement several protective measures:

1. Treat all AI agent output as untrusted until manually verified, particularly when the agent references external data sources
2. Audit MCP tool integrations for any that return user-influenced or externally-sourced data
3. Rotate Sentry DSN credentials if exposed in client-side code and consider server-side-only error reporting
4. Implement approval workflows for AI-suggested code changes that involve shell commands or file system modifications
5. Monitor for unusual file creation or command execution triggered by AI coding assistants

The broader lesson applies beyond Sentry: as AI agents gain access to more external tools and data sources, the attack surface for this class of injection grows proportionally. Security teams should evaluate any tool integration that feeds untrusted data into AI agent context.