2,388
Organizations with injectable Sentry DSNs confirmed exposed by Tenet Security research, any of which can be targeted at zero cost
85%
Exploitation success rate against Claude Code, Cursor, and Codex in Tenet Security's controlled agentjacking testing
71
Exposed organizations ranking in the global Tranco top-1 million, confirming significant-scale targets across every sector
$0
Cost to launch an agentjacking campaign: DSN discovery requires no breach, no authentication, and no specialized tooling beyond a public HTTP client

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A single HTTP POST request using a public credential that requires no breach and no authentication lets an attacker execute arbitrary code on a developer's machine with an 85% success rate across Claude Code, Cursor, and Codex, targeting 2,388 organizations simultaneously. Tenet Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran published the full agentjacking AI coding agent attack research on June 12, 2026.

The attack exploits two design decisions that each appear safe in isolation. First, Sentry's Data Source Name (DSN) is intentionally public and embedded in frontend JavaScript for error reporting. Second, the Model Context Protocol (MCP) cannot distinguish between error data retrieved from an external service and attacker-injected instructions embedded in that data. When a developer instructs their AI coding assistant to fix unresolved Sentry issues, the agent queries Sentry via MCP, receives an injected event containing a fake "Resolution" section, and executes the attacker's shell command with the developer's full system privileges.

The attack bypasses every perimeter control deployed in modern enterprise environments. Endpoint Detection and Response tools, Web Application Firewalls, Identity and Access Management policies, VPNs, Cloudflare, and standard firewalls all pass the attack without triggering an alert. Tenet Security named this the "Authorized Intent Chain": the developer authorized the AI agent, the agent authorized the MCP connection, and the MCP connection returns data from Sentry, a trusted service the developer explicitly integrated. Every step is authorized. No anomaly fires.

Sentry was disclosed on June 3, 2026, acknowledged the vulnerability, and declined to implement a structural fix, describing the issue as "technically not defensible" at the platform level. A content filter targeting one specific payload string from the proof of concept is the entirety of Sentry's deployed remediation.

How Does the Agentjacking Attack Work?

The agentjacking AI coding agent attack chains four steps that require no specialized capability, no prior access, and no detection risk during execution.

Step 1: DSN discovery. A Sentry DSN is a public, write-only credential intentionally embedded in frontend JavaScript so browsers can report errors. Attackers locate valid DSNs by inspecting JavaScript source code on target websites, running Censys queries for ingest.sentry.io subdomains, or searching GitHub's public code index. No breach of any target system is required.

Step 2: Event injection. Using the DSN and a standard HTTP client, an attacker POSTs a crafted error event to Sentry's ingest endpoint with no authentication beyond the DSN itself. The attacker controls every field in the payload: the message body, tags, context keys, breadcrumbs, and simulated stack trace data.

Step 3: Markdown injection. The crafted event contains a fake "## Resolution" section in the message body with an npx command such as npx @attacker-package --diagnose. When the Sentry MCP server returns this event to an AI coding agent, the agent cannot distinguish attacker-injected content from legitimate Sentry system templates. Tenet Security researchers stated: "The agents themselves are now the attack surface, turned against the developers who trust them."

Step 4: Code execution and exfiltration. The agent executes the npx command with the developer's full system privileges. The package downloads from the npm registry and probes for environment variables, AWS credentials at ~/.aws/config, npm tokens at ~/.npmrc, Docker credentials at ~/.docker/config.json, and network interface configuration. Results are exfiltrated via HTTPS POST to the attacker's beacon server. Testing by Tenet Security confirmed 85% exploitation success across Claude Code, Cursor, and Codex.

1

DSN discovery via public search

Attacker locates target's Sentry DSN from browser JavaScript source, Censys enumeration of ingest.sentry.io, or GitHub code search. No breach required.

2

Malicious event injected into Sentry

Attacker POSTs crafted error event using only the DSN. Fake '## Resolution' markdown section contains an npx shell command the agent will execute.

3

AI agent retrieves event via MCP

Developer asks AI coding agent to fix unresolved Sentry errors. Agent queries Sentry via MCP, receives injected event, and interprets attacker content as legitimate diagnostic guidance.

4

Code executes; credentials exfiltrated

Agent runs the npx command with developer privileges. Package harvests AWS keys, GitHub tokens, npm credentials, and environment variables, then POSTs to attacker beacon server.

Which Organizations Are Exposed Right Now?

Using only public Sentry APIs and no prior compromise, Tenet Security identified 2,388 organizations with valid injectable DSNs as of June 12, 2026. Of those, 71 rank within the global Tranco top-1 million website list.

Confirmed affected population categories include a Fortune 500 company with an estimated valuation near $250 billion, a hosting infrastructure provider with $2 billion in assets under management, scientific computing firms, cloud security vendors, and early-stage startups across EdTech, HealthTech, and FinTech sectors. Development teams at these organizations connect Sentry to their AI coding workflows via MCP integrations as standard practice.

The credential exposure from a successful agentjacking attack is severe. A successful attack can extract AWS access keys and session tokens, GitHub OAuth tokens granting access to private repositories, Kubernetes service account tokens, Sentry authentication tokens, npm and Artifactory package registry credentials, and production environment variables containing database connection strings, payment processor API keys, and third-party service secrets.

Unlike traditional supply chain attacks targeting build pipelines, agentjacking strikes at the developer's active session with full contextual access to credentials held in memory and on disk. One compromised developer session provides lateral movement paths into cloud infrastructure, source code repositories, and CI/CD pipelines without triggering a single security alert.

For context on how attackers escalate from initial LLM agent access into deeper infrastructure, see our breakdown of LLM agent post-exploitation tactics using Marimo CVE-2026-39987.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The MCP Trust Problem That Makes Agentjacking Possible

The Model Context Protocol (MCP) is an open standard that allows AI coding agents to connect with external tools and data sources. Sentry's MCP server integration lets a developer ask their agent to review and fix unresolved production errors and have the agent retrieve, analyze, and act on live Sentry data automatically.

MCP's design assumes that data retrieved via tool responses is passive context, not active instruction. Agentjacking demonstrates that this assumption collapses the moment an external service accepts writes from parties other than the legitimate application. Sentry's DSN is write-accessible to anyone who discovers it. Any injected content that Sentry's MCP server subsequently returns to an AI agent becomes indistinguishable from legitimate system output.

The Cloud Security Alliance classified agentjacking on June 12, 2026, as a concrete instance of a broader vulnerability category documented across the MCP ecosystem: the inability of language model agents to enforce trust boundaries between retrieved data and executable instructions. Palo Alto Networks Unit 42 previously identified covert tool invocation and conversation hijacking as parallel MCP attack vectors through Sentry's sampling mechanism.

The attack generalizes beyond Sentry. Any MCP server that returns data from an endpoint with less-restricted write access than read access presents an equivalent injection surface. As AI coding agents integrate with more external services through MCP, each integration where external parties can influence the returned data becomes a potential agentjacking vector.

This parallels the AI command injection pattern documented in our analysis of LAMEHUG malware, where APT28 used live LLM command generation to turn AI tooling trusted by developers into an active attack mechanism.

The attacker never touches the victim's infrastructure. The malicious instruction arrives disguised as legitimate resolution guidance from a service the developer deliberately connected to their AI workflow.

Tenet Security Research, June 12, 2026

What Sentry Did, and Did Not Fix

Sentry's response to the agentjacking disclosure illustrates a gap between responsible vulnerability disclosure and structural platform remediation that is increasingly common across the AI tooling ecosystem.

Tenet Security disclosed the agentjacking technique to Sentry on June 3, 2026. Sentry acknowledged the disclosure and stated the issue is "technically not defensible" at the platform level, citing the intentional design of DSNs as public write-only credentials. Sentry activated a global content filter blocking the specific npx payload string used in Tenet Security's proof of concept.

The practical protection this filter provides is minimal. It targets the exact command string from the disclosed proof of concept. Any attacker who changes the package name, uses pip instead of npx, encodes the command differently, or structures the markdown injection in a variant format bypasses the filter. The filter addresses one specific indicator from the public disclosure, not the attack class.

Sentry has not implemented authenticated event ingestion, per-event content validation against shell command patterns, rate limiting on DSN write operations from novel IP addresses, or any mechanism to flag events containing execution instructions before they are returned to MCP clients. Each of these architectural changes would represent a structural fix and would require modifications to Sentry's core event ingestion pipeline.

The researchers identified that runtime controls at the AI agent level are the only currently viable mitigation path. Agent-level guardrails that inspect MCP tool responses for shell execution instructions before acting on them can prevent the attack regardless of what Sentry returns, as long as the agent applies the check consistently across all MCP-connected data sources.

Detecting an Agentjacking Attempt

Agentjacking produces no traditional network IOCs because the attack routes entirely through Sentry's legitimate infrastructure until the final exfiltration step. Defenders must rely on behavioral indicators rather than IP or domain blocklists for primary detection.

Behavioral indicators of a successful or in-progress agentjacking attack include: an AI coding agent executing npx commands with package names absent from the project's package.json; shell command execution triggered by an AI agent immediately after querying Sentry or any MCP-connected issue tracking service; outbound HTTPS POST requests from developer workstations to unrecognized endpoints following an AI agent session; unexpected subprocess spawning from AI agent processes; and credential file reads at ~/.aws/config, ~/.npmrc, and ~/.docker/config.json by agent-spawned npm scripts.

DSN exposure can be assessed proactively before an attack occurs. Organizations can search GitHub code search and Censys for their Sentry DSN strings. Any DSN reachable through public search should be treated as injectable until rotated. Tenet Security's controlled testing payloads self-identified with an x-tenet-security: ResponsibleDisclosure header on injected events. Malicious actors will not include this marker.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

7 Steps to Defend Against Agentjacking

Disabling Sentry MCP integrations is the fastest single action that eliminates the agentjacking attack surface. Organizations that cannot immediately disable these integrations should implement all seven controls below in parallel.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why the Agentjacking Attack Matters for Your Organization

Agentjacking represents the first publicly documented, large-scale attack class that converts a developer's own trusted AI coding tool into the threat actor, executing attacker code with developer privileges inside the development environment without touching any victim infrastructure directly.

Prior AI security concerns focused on attackers using LLMs to write malicious code faster or generate more convincing phishing emails. Agentjacking is categorically different: the developer explicitly authorized the AI agent, the AI agent explicitly authorized the MCP connection, and the connection returns data from a service the developer chose to integrate. Every control in the chain sees authorized behavior. Nothing alerts.

The attack scales cheaply. Discovering injectable DSNs across thousands of organizations requires a Censys API key and a GitHub account. Crafting the injection payload requires writing a markdown section and a throwaway npm package. An attacker can queue malicious events in all 2,388 exposed organizations in under an hour and wait for developers to use their standard AI coding workflows.

The credential chain from a successful agentjacking attack is severe. AWS keys enable cloud infrastructure access and resource creation. GitHub tokens enable private repository theft and potential supply chain compromise through malicious commit injection. npm credentials enable downstream supply chain attacks through malicious package publishing. Each stolen credential class represents a distinct breach that can propagate to customers, partners, and dependent software systems beyond the original victim organization.

Organizations that build software using AI coding agents with external MCP integrations must treat agentjacking as an active threat. Audit DSN exposure, disable Sentry MCP integrations, and investigate AI agent process logs for credential file access since any Sentry MCP integration was first enabled.

The bottom line

Agentjacking converts developer AI coding agents into unwitting attack tools by injecting malicious commands into Sentry error events that cost nothing to craft and require no breach to deliver. With an 85% exploitation success rate across Claude Code, Cursor, and Codex, and 2,388 organizations confirmed exposed, this attack is not theoretical. Disable Sentry MCP integrations today, rotate any DSN reachable via public search, and audit AI agent process logs for subprocess execution triggered by MCP tool responses. Every development environment running an AI coding agent with Sentry MCP access is a live attack surface until these controls are in place.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is agentjacking?

Agentjacking is an attack technique that hijacks AI coding agents by injecting malicious shell commands into Sentry error events. An attacker uses a target's public Sentry DSN credential to POST a crafted event containing a fake resolution section with an npx command. When the developer's AI agent queries Sentry via MCP and retrieves the injected event, the agent executes the attacker's command with the developer's full system privileges. Tenet Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran discovered and named the technique in June 2026.

How does an agentjacking attack work?

An agentjacking attack works in four steps. First, the attacker discovers a target's Sentry DSN from browser JavaScript or public search tools such as Censys and GitHub code search. Second, the attacker POSTs a crafted error event to Sentry's ingest endpoint using only the DSN. Third, when the developer asks their AI agent to fix unresolved Sentry issues, the agent retrieves the injected event via MCP and cannot distinguish attacker instructions from legitimate error data. Fourth, the agent executes the attacker's shell command and the resulting npm package exfiltrates credentials from the developer's machine.

Which AI coding agents are vulnerable to agentjacking attacks?

Tenet Security confirmed that Claude Code, Cursor, and Codex all executed injected commands during controlled agentjacking testing, achieving an 85% exploitation success rate. Any AI coding agent that integrates with Sentry via MCP and acts on retrieved event data without validating content source is potentially vulnerable. The vulnerability is in the MCP trust model rather than in any single agent's code, so additional agents using the same pattern are also at risk.

What is a Sentry DSN and why is it exploitable?

A Sentry Data Source Name (DSN) is a public, write-only credential that applications embed in frontend JavaScript so browsers can automatically report errors to Sentry. The DSN's public nature is an intentional design decision that works safely in traditional error reporting contexts. Agentjacking exploits it because the same write access that lets browsers report errors lets attackers inject arbitrary event content into any organization's Sentry project without authentication, and AI agents subsequently retrieve that content as trusted error data.

What credentials can agentjacking steal from a developer's machine?

A successful agentjacking attack can extract AWS access keys and session tokens from ~/.aws/config, GitHub OAuth tokens granting private repository access, Kubernetes service account tokens, Sentry authentication tokens, npm and Artifactory package registry credentials from ~/.npmrc, Docker credentials from ~/.docker/config.json, and environment variables from .env files containing production database connection strings, payment processor API keys, and third-party service secrets.

Has Sentry fixed the agentjacking vulnerability?

Sentry has not implemented a structural fix. After Tenet Security disclosed the vulnerability on June 3, 2026, Sentry acknowledged the issue but stated it is technically not defensible at the platform level. Sentry deployed a content filter blocking the specific npx payload string from the disclosed proof of concept. This filter does not address variant payloads with different package names, alternative commands, or modified markdown formatting. Authenticated event ingestion would be a structural fix, but Sentry has not committed to implementing it.

How can I detect if my AI agent was hijacked via Sentry MCP?

Signs of a successful agentjacking attack include: AI agent processes spawning subprocesses that execute npx commands with packages not in your project dependencies; credential file access at ~/.aws/config, ~/.npmrc, or ~/.docker/config.json by agent-spawned scripts; outbound HTTPS POST requests from AI agent processes to unrecognized endpoints; and subprocess chains triggered immediately after a Sentry MCP query. Review AI agent process logs and EDR telemetry covering the period since any Sentry MCP integration was first enabled.

How do I protect my organization from MCP injection attacks like agentjacking?

The most effective immediate protection is disabling Sentry MCP integrations in all AI coding agents. Additionally: rotate any Sentry DSN found in public GitHub or Censys search results; configure AI agent allow-lists requiring human approval for shell commands sourced from MCP tool responses; deploy MCP security tools such as Javelin Ramparts or McpSafetyScanner to inspect tool responses before agents act on them; monitor AI agent process trees for credential file access and outbound POST requests to novel endpoints.

Sources & references

  1. Tenet Security: A Fake Bug Report Hijacks Your AI Coding Agent
  2. The Hacker News: Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
  3. Cloud Security Alliance: Agentjacking MCP Injection Hijacks AI Coding Agents
  4. Infosecurity Magazine: New Agentjacking Attacks Could Hijack AI Coding Agents

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.