Security / Jun 30, 2026 / 5 min
Agentjacking Turns Fake Sentry Errors Into Shell Access
On June 17, Tenet Security disclosed agentjacking — a fake Sentry error that hijacks Claude Code, Cursor, and Codex into running attacker code on developer machines, and Sentry called the architectural flaw "technically not defensible."
Tenet Security disclosed "agentjacking" on June 17 — an attack that hijacks AI coding agents through a single fake Sentry error report, with no phishing, no malware, and no breach required. In controlled testing, agents at 100+ organizations including a Fortune 100 firm executed attacker code; Sentry acknowledged the flaw on June 3 and called it "technically not defensible," and the only fix is runtime controls on the agent itself.
What's new:
- Tenet Threat Labs coined "agentjacking" — injecting malicious markdown into Sentry error events via public Data Source Names (DSNs).
- When a developer asks Claude Code, Cursor, or Codex to "fix unresolved Sentry issues," the agent pulls the poisoned event through the Model Context Protocol (MCP) and runs attacker commands with the developer's full privileges.
- Tenet: "The danger lies in this implicit trust... The agent's trust in MCP tool responses creates a direct pathway from injected data to code execution."
How it works:
- Attacker finds the target's public Sentry DSN — embedded by design in frontend JavaScript.
- Attacker POSTs a crafted error event with a fake "## Resolution" section and an
npxcommand. No authentication beyond the DSN. - Developer asks their agent to triage bugs — routine workflow.
- Agent executes the command. AWS keys, GitHub tokens, and private repo URLs sit in reach.
The numbers:
- 2,388 organizations with injectable DSNs found via passive reconnaissance, per Tenet.
- 85% exploitation success rate across injected errors in Tenet's controlled testing (vendor-stated).
- 100+ confirmed agent executions spanning Fortune 500 enterprises down to solo developers across 30+ countries.
- One Fortune 100 tech company — parent valued at roughly $250 billion — saw its agent run Tenet's test code.
- "Sandboxed" CI agents, WSL environments, and network-restricted Codex builds were reached anyway.
Sentry's response:
- Tenet disclosed June 3, 2026. Sentry acknowledged same day.
- Sentry declined root-cause remediation, calling the attack "technically not defensible" at the platform level, per Tenet's disclosure.
- Sentry activated a global content filter blocking Tenet's specific proof-of-concept payload string — not the architectural pathway.
- Tenet's framing: "Your telemetry is now an RCE vector."
Same day, same class of failure:
- On June 30, Mozilla's Zero Day Investigative Network (0DIN) documented a separate indirect prompt-injection chain against Claude Code using DNS TXT records — three indirection layers from repo to reverse shell, no malicious code in the repository itself.
- Different entry point. Same structural flaw: agents that autonomously resolve errors cannot distinguish data from instructions.
What teams should do now:
- Gate every shell command sourced from external tool data — require human approval.
- Kill auto-run modes for agents connected to telemetry via MCP.
- Run coding agents in sandboxes with default-deny network egress.
- Audit exposed Sentry DSNs in public repos and shipped JavaScript bundles.
- Tenet open-sourced "agent-jackstop" hardening configs for Cursor and Claude Code.
Convina's view: Washington spent June debating which frontier models get guest lists while the agent already on your developer laptop became the attack surface. Agentjacking is not a Sentry bug — it is what happens when you wire autonomous execution to tools that return untrusted data and call the integration "convenience." Sentry's response — filter one payload string, punt architecture to model vendors — is the same accountability gap we have tracked on Mythos and Commerce kill switches. Until agent runtime gets the same procurement scrutiny as the models themselves, every "fix my bugs" prompt is a loaded gun pointed at your CI/CD credentials.