preloader

· security devops ai mcp supply-chain ci-cd developer-tools

Agentjacking: How a Fake Sentry Error Report Can Hijack Your AI Coding Agent

Source: The Hacker News

AI coding agents such as Claude Code and Cursor are now deeply embedded in developer workflows, with access to filesystems, secrets stores, CI/CD credentials, and production infrastructure. On 12 June 2026, Tenet Security’s Threat Labs published research disclosing a novel attack class they call Agentjacking, which exploits the implicit trust these agents place in external tool outputs. The technique requires no authentication bypass, no malware installation, and no phishing. All it requires is a Sentry DSN.

How the attack works

Sentry is an application monitoring and error-tracking platform used by a large proportion of engineering teams. It ingests error events from applications and surfaces them to developers for debugging. When Sentry is connected to an AI coding agent via the Model Context Protocol (MCP), the agent receives Sentry error events as tool input and can read, summarise, and act on them automatically.

The attack exploits two properties of this setup. First, Sentry DSNs, the credentials used to submit events to Sentry projects, are write-only and are routinely embedded in browser JavaScript bundles and public GitHub repositories. They are effectively public. Second, the MCP integration means that arbitrary content submitted to a Sentry project flows directly into the AI agent as tool output, without the agent treating it as potentially adversarial.

An attacker who discovers a Sentry DSN can submit a crafted error event containing malicious instructions. The event looks like a normal application error to automated systems. When the developer’s AI coding agent retrieves it through the MCP integration, it processes the payload as authoritative tool output rather than untrusted external input. The injected instructions can direct the agent to exfiltrate CI/CD credentials, access private source code repositories, compromise cloud infrastructure access keys, or establish persistent access on the developer’s machine.

Scale and success rate

Tenet’s research team tested the technique against production systems and confirmed an 85 percent exploitation success rate across top coding agents, including Claude Code and Cursor. Over 100 instances of successful agent execution were confirmed, affecting targets ranging from solo developers to a Fortune 500 enterprise. The research team identified the same DSN exposure pattern across GitHub repositories spanning multiple sectors and geographies.

Why conventional defences do not catch this

Tenet describes the fundamental problem as an Authorized Intent Chain. Every action in the attack sequence is technically legitimate. The Sentry DSN is valid. The error event submission follows the Sentry API contract. The MCP integration retrieves the event exactly as designed. The coding agent executes the instructions using its configured tools, applying whatever permissions it has been granted. EDR, WAF, IAM controls, VPN, and Cloudflare see nothing anomalous because nothing in the chain is anomalous at the individual step level.

The attack surface sits in the gap between what is technically permitted and what is actually intended. AI coding agents have not been designed with the assumption that their tool inputs might contain adversarial instructions. They were designed to be helpful, which means they process instructions arriving in tool outputs without questioning their legitimacy.

Sentry’s response

Tenet disclosed the findings to Sentry on 3 June 2026. Sentry acknowledged the report but declined to implement a root-cause fix at the platform level, describing the attack class as “technically not defensible” from their position. This means the risk currently falls entirely on the organisations and developers using Sentry MCP integrations.

What development teams should do now

The immediate priority is auditing which Sentry DSNs from your projects are publicly exposed. Check browser JavaScript bundles, public GitHub repositories, and any documentation that references your Sentry project configuration. Rotate any DSN that has been publicly accessible, even if you have no evidence of misuse.

Review your AI coding agent configurations and assess whether the Sentry MCP integration is necessary in its current form. If it is, evaluate whether the agent should hold write access to filesystems, secrets, or network endpoints at the same time as processing external MCP tool input. The risk is substantially reduced if the agent operates in a sandboxed or read-only mode when handling Sentry event data.

Treat tool output from external integrations as untrusted input. System prompts for AI coding agents should state explicitly that content arriving through MCP integrations may be adversarial and should not be treated as authoritative instructions without human review. This is not a complete defence, but it shifts the model toward appropriate scepticism.

More broadly, Agentjacking illustrates a structural gap in how agentic AI tooling is being deployed in development environments. The productivity gains are real, but the security perimeter has not been updated to match. Any external service integrated with an AI agent via MCP is a potential injection surface. The more tools an agent can call, the wider that surface becomes.

If you want to assess your organisation’s exposure to MCP injection attacks, review your AI coding agent configurations for overly permissive tool access, or build a security framework that accounts for the specific risk profile of agentic AI in development workflows, contact Excello Digital. We work with European engineering teams navigating the security implications of AI-assisted development at scale.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!