Information Security News

Agentjacking: Fake Sentry Errors Hijack AI Coding Agents

by · Published · Updated

Agentjacking attack using a fake Sentry error report to hijack an AI coding agent through the Sentry MCP server

AI assistants have become a normal tool for debugging lately. Yet even an ordinary crash report can turn into a command that runs someone else’s code on your machine. Tenet Threat Labs has shown a technique called Agentjacking. In it, fake Sentry reports push AI agents to follow an attacker’s instructions.

No Passwords, Just a Public DSN

In the demonstrated scenario, the attacker needs no passwords or access to the company network. It is enough to find the Sentry project identifier, or DSN, in a website’s public code. That identifier is often visible by design, since apps use it to send error reports. With the DSN in hand, the attacker can then send a fake report into Sentry.

How the Attack Works

The method builds on instruction injection. The malicious text hides inside the report content using Markdown. Then a developer asks an AI agent to investigate the problem through the Sentry MCP server. The agent reads the fake report as working context. As a result, it can treat the embedded instructions as a trusted task. You can read the full breakdown in Tenet’s report.

From Error Report to Code Execution

In Tenet’s demo, a fake “resolution” section told the agent to run a command. That command was npx @tenet-controlled-validation-package –diagnose. It downloaded and ran a Tenet-controlled npm package from the public registry. According to the researchers, the same path could achieve remote code execution. An attacker would simply swap the test package for a malicious one.

How Widespread Is the Exposure?

Tenet tested the technique with Claude Code, Cursor, and OpenAI Codex. The trials ran on Windows, macOS, and automated cloud pipelines. During a validation period that ended on June 17, 2026, the team found 2,388 organizations with exposed Sentry DSNs. At more than 100 global companies, AI assistants ran Tenet’s controlled code. One was a Fortune 100 firm valued at about $250 billion.

Why the Real Risk Runs Deeper

The danger goes beyond running a single command. A malicious package could act with the developer’s local privileges. From there, it could try to grab secrets like AWS keys, GitHub tokens, or SSH keys. Worse still, normal defenses may miss this chain. Every action looks like the work of trusted tools and an authorized user. Tenet calls this the “Authorized Intent Chain,” and traditional controls are built to catch unauthorized behavior instead.

Disclosure and Defense

Tenet reported the issue to Sentry on June 3, 2026. According to the company, Sentry added a filter that blocks the specific text from the demo. However, the nature of the problem blocks a universal fix. AI agents do not always separate untrusted data from instructions. To reduce the risk, Tenet released a free tool called Agent-JackStop. It aims to harden Cursor and Claude Code against instruction injection from external sources. Beyond that tool, teams should limit what their agents can run, require approval for unfamiliar commands, and scope developer credentials tightly.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply