TITLE: Agentjacking: The Attack That Turns Your AI Coding Agent Against You DATE: 2026-06-21 COMPANY: Tenet Security / Sentry TOPIC: AI Security SUMMARY: Security researchers at Tenet Security disclosed a novel attack called agentjacking, which exploits the Sentry error-tracking MCP server to hijack AI coding agents including Claude Code, Cursor, and OpenAI Codex. By injecting a malicious payload into a project's public Sentry error endpoint, an attacker can cause an AI agent to execute arbitrary code with full developer privileges. Researchers confirmed 2,388 organisations exposed and achieved an 85% exploitation success rate across 100-plus real targets. WHAT CHANGED: Tenet Security Threat Labs published a proof-of-concept demonstrating that AI coding agents connected to Sentry via MCP can be hijacked by a third party with no prior access to the developer's machine, no compromise of the Sentry platform, and no interaction from the developer beyond asking their agent to triage bugs. The mechanism relies on two structural features of how these systems work together. First, Sentry's event ingestion endpoint is publicly writable by anyone who holds a valid DSN. DSNs are, by design, embedded in production applications so that errors can be reported from the browser. They are routinely visible in page source code, JavaScript bundles, and public repositories. Second, when a developer asks their AI coding agent to review unresolved Sentry issues, the agent connects to Sentry via MCP and treats the errors returned as trusted information it should act on. An attacker can post a crafted error event to a target's Sentry account at any time before the developer makes that request. When the agent retrieves the error queue and processes the attacker's injected payload, it executes the embedded instructions with the developer's full system privileges, including access to the filesystem, shell, Git configuration, and any credentials stored in environment variables. Tenet tested the attack across more than 100 real-world organisations and confirmed an 85% exploitation rate. Researchers identified at least 2,388 organisations with injectable Sentry DSNs, found 71 within the global Tranco top-1 million, and confirmed that a Fortune 500 company near $250 billion in valuation was among those exposed. The exfiltrated data in a real attack would include SSH keys, API tokens, Git credentials, and private repository URLs, obtained without phishing, without prior server access, and without triggering conventional security tooling. Sentry was notified on June 3, 2026. The company introduced a global content filter for one specific payload string but characterised the underlying issue as "technically not defensible," explaining that the combination of a public write endpoint and an AI agent that processes that data as trusted input cannot be solved at the Sentry layer alone. Sentry deferred the broader fix to AI model vendors, who have not yet shipped a systematic solution. WHY IT MATTERS: It affects the tools developers are already using today. Claude Code, Cursor, and Codex are not niche research tools. They are production developer environments in daily use at companies across every sector. An 85% exploitation rate against a hundred real-world targets means this is a deployable attack, not a theoretical edge case. MCP is the standard integration layer for AI agents in 2026. The Sentry MCP server is one of hundreds of MCP-connected tools that AI coding agents can be configured to use. The agentjacking technique is not unique to Sentry. Any MCP server that returns data from a source that can be written to by an untrusted party is a potential injection point. Sentry is the first publicly documented instance. It will not be the last. The fix has been passed between vendors with no resolution. Sentry says it cannot defend this at its layer. AI model vendors have not shipped a systematic solution. That leaves the organisation in the middle, holding an attack surface it did not knowingly create. Operators need to act on their own configuration rather than waiting for vendors to resolve the architectural gap. Data exfiltration leaves no obvious trace. Because the agent is executing what looks like a normal developer instruction from a trusted tool, there is no obvious anomaly in agent logs. The attacker's code runs in the context of a standard coding session. Traditional endpoint detection and response tools that look for unusual process spawning or network calls may not flag this pattern. The 2,388 exposed organisations represent the visible surface. Tenet's scan identified organisations with publicly injectable DSNs. Organisations with DSNs exposed through less visible channels, internal tools, or partner systems are not captured in that count. DAVID & GOLIATH ANALYSIS: Agentjacking is not a bug in any one product. It is a consequence of building AI agents that are designed to be helpful by taking external data at face value, and then connecting those agents to real-world systems that were never designed to be trusted data sources. Sentry's error-tracking infrastructure was built to accept anything a browser sends. An AI agent was built to act on anything a connected tool returns. Nobody wrote a policy for what happens when those two systems are wired together. The security industry is, predictably, behind. Detection and response tools were designed for a world where threats came from compromised credentials, malicious binaries, or network intrusions. An attack that travels through a legitimate MCP server as a well-formatted error event is invisible to most of that tooling. The gap between what AI agents can do and what enterprise security architecture was designed to protect is real, documented, and open. For operators at 10-to-200-person companies, the practical translation is this: every MCP integration you add to an AI agent is a trust boundary you are implicitly accepting. You should know what those boundaries are, who controls the data on the other side, and what your agent will do if that data contains unexpected instructions. Right now, most teams do not have that inventory. Building it is not a long project. It is an afternoon conversation that pays for itself the first time an attacker looks for your Sentry DSN. RELEVANT SYSTEMS: Secure AI Brain, Employee Amplification Systems SOURCE URL: https://davidandgoliath.ai/daily-ai-briefing/agentjacking-attack-ai-coding-agents-sentry-mcp-enterprise-security FEED URL: https://davidandgoliath.ai/daily-ai-briefing/feed --- Published by David & Goliath | https://davidandgoliath.ai Daily AI Briefing: one AI development per day, decoded for business operators. This is a structured companion file optimised for LLM retrieval and citation.