Skip to main content

Your AI coding agent is about to become your biggest security liability — and not because of a zero-day in the model itself. In June 2026, researchers at Tenet Security disclosed a devastating new attack class called Agentjacking, which turns trusted developer tools like Sentry into remote code execution vectors targeting AI coding assistants. The attack achieved an 85% success rate across some of the most widely deployed agents in the industry.

If your development team uses AI coding agents connected to external services via MCP (Model Context Protocol), this one demands your immediate attention.

TL;DR

  • Agentjacking exploits publicly exposed Sentry DSN credentials to inject malicious payloads that AI coding agents execute as trusted instructions
  • The attack achieved an 85% exploitation rate across Claude Code, Cursor, and Codex in controlled tests, affecting 2,388 organisations
  • Traditional security tools (EDR, WAF, firewalls) are completely blind to this attack because every step in the chain is technically authorised
  • Sentry acknowledged the vulnerability but declined to fix it at a platform level, calling it “technically not defensible”
  • Defence must shift to the agent’s decision-making layer — treating MCP data as untrusted input, not system guidance

The Attack Chain: From Public Credential to Code Execution

The genius — and the terror — of Agentjacking lies in its simplicity. The attack requires no password breach, no network intrusion, and no exploit kit. It uses infrastructure your team has already deployed and authorised.

Here is how it works, step by step:

Step 1: DSN Discovery. Sentry embeds Data Source Name (DSN) keys directly in client-side application code by design. These are public, write-only credentials intended to let your application report errors. Attackers simply view your page source or scan JavaScript bundles to extract them.

Step 2: Payload Injection. Using the harvested DSN, the attacker sends a crafted error event to Sentry’s ingestion endpoint via a simple POST request. The payload contains carefully formatted markdown in the message fields and context key names — designed to visually mimic authentic Sentry output when rendered.

Step 3: Agent Retrieval. When a developer asks their AI coding assistant to investigate or fix Sentry issues, the agent queries Sentry via MCP. It retrieves the malicious event alongside legitimate errors, treating all responses as inherently trustworthy diagnostic data.

Step 4: Code Execution. The agent interprets the injected instructions as a legitimate “Resolution” guide and executes the attacker-controlled code with full developer privileges on the local machine. Environment variables, AWS keys, GitHub tokens, git credentials, and private repository URLs are all exposed.

The Authorised Intent Chain: Why Your Security Stack is Blind

What makes Agentjacking genuinely frightening is what Tenet Security calls the “Authorised Intent Chain”. Every single step in the attack path is explicitly authorised:

  1. The developer authorised the AI agent to run on their machine
  2. The agent authorised the MCP connection to Sentry
  3. The MCP connection retrieves data from Sentry — a trusted service the developer explicitly integrated
  4. The agent acts on the data it received from a trusted source

No anomaly fires. No alert triggers. EDR tools see an authorised process making authorised network calls and executing authorised file operations. Firewalls see legitimate HTTPS traffic to a legitimate service. IAM systems see valid credentials being used as intended.

This is not a vulnerability in any single tool. It is a systemic trust architecture failure — the gap between what we authorise and what we intend.

Who Is Affected

Tenet Security’s research documented successful exploitation against Claude Code, Cursor, and Codex — three of the most widely adopted AI coding agents in professional development teams today. The 85% success rate was not a cherry-picked figure; it held across controlled tests against over 100 organisations.

The exposed attack surface is substantial: at least 2,388 organisations were found with injectable DSN credentials, ranging from a $250 billion enterprise to solo developers. A single injected error event could compromise an entire development environment.

Even more concerning: prompt-level defences proved ineffective. Instructing agents to ignore untrusted data did not prevent exploitation. The agents consistently treated MCP-retrieved Sentry data as system-level guidance rather than user-supplied input.

Sentry’s Response — and Why It Matters

After Tenet Security disclosed the vulnerability on 3 June 2026, Sentry acknowledged the issue but declined to remediate it at the platform level, stating it was “technically not defensible”. Their response was a surface-level content filter blocking specific payload strings — essentially a blocklist that any moderately skilled attacker can bypass with encoding variations.

This response highlights a fundamental industry problem: platform providers do not yet consider themselves responsible for how AI agents consume their data. Sentry was designed for human developers who can exercise judgement. AI agents cannot — and the MCP layer provides no mechanism for distinguishing trusted diagnostic data from injected attack payloads.

What Your Development Team Must Do Now

The mitigation for Agentjacking cannot come from your firewall, your EDR, or your VPN. It must happen at the agent’s decision-making layer — the moment the agent decides to act on retrieved data.

1. Audit Your MCP Connections

Inventory every external service your AI coding agents connect to via MCP. For each connection, ask: does this service accept data from untrusted sources? If yes (and Sentry’s public DSN ingestion is a textbook example), that connection is an attack vector.

2. Treat MCP Data as Untrusted Input

This is the core architectural shift. Data retrieved via MCP should be treated with the same suspicion as user input in a web application — validated, sanitised, and never directly executed. Agent frameworks must implement data classification layers that distinguish between trusted system prompts and externally sourced content.

3. Restrict Agent Execution Privileges

AI coding agents should not run with full developer privileges. Apply the principle of least privilege: sandbox agent execution, restrict file system access, and require explicit human approval before agents execute shell commands or modify configuration files.

4. Rotate Exposed DSN Credentials

While DSNs are designed to be public, organisations should audit which DSNs are exposed and consider implementing server-side Sentry relay configurations that keep DSN credentials out of client-side code entirely.

5. Implement Human-in-the-Loop Checkpoints

For any action an agent takes based on external data, require human confirmation. This is not about slowing down development — it is about inserting a judgement layer where the authorised intent chain currently has none.

The Bigger Picture: Agent Trust Architecture Is Broken

Agentjacking is not an isolated incident. It is the most vivid demonstration yet of a systemic problem: we are building AI agent ecosystems on implicit trust assumptions that do not hold under adversarial conditions.

The MCP protocol was designed to give AI agents access to external tools and data sources. But “access” was conflated with “trust”. When an agent retrieves data from a connected service, it treats that data as authoritative — because that is what the protocol architecture implicitly communicates.

This is the same mistake the industry made with SQL injection decades ago: treating data-plane inputs as control-plane instructions. We solved that with parameterised queries and input validation. We need an equivalent architectural boundary for AI agent data consumption.

At REPTILEHAUS, we are already advising clients on AI agent security architecture — from MCP connection auditing to sandboxed execution environments and human-in-the-loop governance frameworks. If your team is deploying AI coding agents in production, get in touch before your trusted tools become your attack surface.

📷 Photo by Markus Spiske on Unsplash