Security researchers have identified a new attack class, dubbed “Agentjacking,” that exploits how AI coding agents process error reports from Sentry, the widely used open-source error-tracking platform. The technique allows attackers to run arbitrary code on a developer’s machine without phishing, malware, or any prior compromise of the victim’s systems.
According to research published by Tenet Security’s Threat Labs, the attack abuses the connection between Sentry and AI coding agents established through the Model Context Protocol (MCP), the open standard that lets tools like Claude Code, Cursor, and OpenAI’s Codex pull in data from external services.
How Agentjacking Works
The exploit chain begins with Sentry’s open event-ingestion design. Any party holding a project’s Sentry DSN — a write-only credential that is often publicly visible in client-side JavaScript or discoverable through GitHub searches — can submit error events to that project, with no further authentication required.
The Agentjacking chain: a leaked Sentry DSN lets an attacker plant a fake error that an AI coding agent retrieves via MCP and acts on as if it were a real bug report.
- An attacker locates a target’s exposed Sentry DSN and submits a crafted, fake error event designed to look like a routine application crash.
- The AI coding agent, queried via MCP, retrieves this event from Sentry and treats it as trusted diagnostic output — the same way it would treat a genuine crash report.
- Embedded within the fake event is an instruction disguised as a legitimate “resolution” step, structurally indistinguishable from Sentry’s own remediation guidance.
- When a developer prompts their agent to “fix unresolved Sentry issues” (a common workflow), the agent follows the planted instruction and executes attacker-controlled commands, including malicious npm packages, with the developer’s full local privileges.
As the Tenet researchers — Ron Bobrov, Barak Sternberg, and Nevo Poran — put it, the danger lies in implicit trust: an AI agent cannot distinguish a genuine application crash from an event an attacker has injected, yet it acts on both with the same authority a human developer would.
Scale and Severity
In controlled testing, the Agentjacking technique achieved an 85 percent success rate across the most widely used coding agents, including Claude Code, Cursor, and Codex. Tenet Security also identified more than 2,388 organizations with valid, publicly exposed Sentry DSNs that could be targeted using this method — ranging from a company valued at roughly $250 billion down to individual solo developers, and reportedly including at least one cloud security vendor.
Because the attack arrives through a channel the agent already trusts — and because every individual step in the chain is technically “authorized,” — standard security tooling does not flag the activity. No phishing email, malicious link, or unusual network connection is required.
What’s at Risk
A successful Agentjacking attack can expose:
- Local environment variables, which frequently contain API keys and secrets
- Git credentials
- Private repository URLs and developer identity information
Because the malicious code runs with the developer’s own system privileges, the practical impact is similar to a direct compromise of the developer’s machine — achieved entirely through a tool the developer asked their AI assistant to use.
Context: Part of a Broader Pattern
Agentjacking is not an isolated finding. It follows closely behind separate research from Adversa AI, published in May 2026, which documented a related class of issue dubbed “TrustFall.” That research found that Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI could all be made to execute project-defined MCP servers automatically after a developer accepts a routine “trust this repository” prompt — potentially with a single keypress and no further warning.
Taken together, the two findings point to a structural issue across the agentic coding ecosystem: as coding agents have moved from simple autocomplete tools to systems that can read external data sources and execute commands on local machines, the trust boundaries around what those agents are allowed to act on have not kept pace.
What Developers and Teams Can Do Right Now
Action checklist: Agentjacking
- Rotate any Sentry DSN that may have been exposed in client-side code, public repos, or build artifacts.
- Do not run blanket prompts like “fix all unresolved Sentry issues” until your agent vendor confirms stronger verification of MCP tool outputs.
- Review which MCP servers your coding agent auto-approves, especially in cloned or third-party repositories.
- Run coding agents under a restricted local user account or sandbox when connected to external MCP tools.
- Check Tenet Security’s published indicators of compromise if you suspect your Sentry project may have been targeted.
Vendor Response
Anthropic has previously patched related MCP trust issues in Claude Code, including CVE-2025-59536, CVE-2026-21852, and CVE-2026-33068, identified during the earlier TrustFall research. At the time of writing, Anthropic, Sentry, and OpenAI had not issued public statements specific to the Agentjacking findings. This article will be updated if vendor responses are issued.
Sources
Tenet Security Threat Labs; The Hacker News; Infosecurity Magazine; Cloud Security Alliance Research; Adversa AI (TrustFall research, May 2026).
