Blab Tech
Tenet Security Exposes Agentjacking Attack That Hijacks AI Coding Assistants via Sentry Error Reports
A stealth‑mode startup has revealed a new way to hijack AI coding assistants by turning a public Sentry error‑monitoring credential into a command‑execution vector. The technique, dubbed agentjacking, was demonstrated against Anthropic’s Claude Code, OpenAI’s Cursor, and Microsoft’s Codex, and requires only a single crafted error report—no malware or stolen passwords.
The attack’s simplicity is striking. An attacker first discovers a target’s Sentry Data Source Name (DSN). Because Sentry presents the DSN as a write‑only key that can safely live in front‑end JavaScript, it is frequently exposed on production sites, GitHub, or via passive reconnaissance tools such as Censys. With the DSN in hand, the attacker posts a single error event to Sentry’s ingest endpoint. The payload can carry arbitrary text, tags, and context fields, and Sentry acknowledges it with an HTTP 200 response.
Inside the AI agent, the malicious command is hidden in the event’s markdown‑formatted message and context fields. When the agent pulls unresolved Sentry issues through the Model Context Protocol (MCP), it receives the injected event as if it were a legitimate crash report. The agent’s internal prompt‑handling logic treats the event’s content as trusted guidance. In Tenet’s tests, the embedded command was an npx call that downloaded a package from the public npm registry. The package—labelled a security‑scan tool—executed with the developer’s own privileges on the local machine.
Once the command runs, the package can read environment variables, cloud configuration files, and credential stores. In controlled experiments, the attacker exfiltrated AWS access keys, GitHub tokens, and git credentials from the victim’s machine. The attack does not require any network intrusion or credential theft; it relies solely on the trust relationship between the agent and the data supplied by Sentry.
Tenet quantified the reach of the vulnerability. The researchers identified 2,388 organizations that expose a writable DSN, including 71 sites in the Tranco top‑1,000,000 list. Across separate validation waves, the team logged more than 100 confirmed executions in distinct organizations, and the attack succeeded in 85 % of the controlled tests. Victims ranged from a Fortune 100 technology company to CI/CD pipelines, Windows Subsystem for Linux (WSL) environments, and macOS and Windows workstations behind corporate VPNs.
Why the attack evades existing defenses is a key finding. Every step of the chain is authorized: the attacker never touches the victim’s infrastructure, the developer never approves any code, and the agent performs exactly what it was asked to do. As Tenet calls it the Authorized Intent Chain, traditional endpoint detection and response (EDR), web application firewalls (WAF), identity and access management (IAM), and network controls do not flag the activity. Even prompt‑layer defenses in the agents failed to block the payload when system prompts and skills instructed the model to ignore untrusted data.
Sentry’s response was swift but limited. The company acknowledged the issue on the same day Tenet released the findings and added a global content filter that blocks the specific string used in the proof‑of‑concept payload. However, the ingest endpoint remains open, and Sentry declined to fix the root cause. Tenet’s analysis indicates that the fix must reside in the agent runtime, where each action is evaluated before execution.
Model vendors reported partial mitigation. Claude Code, Cursor, and Codex all executed the injected command despite system‑prompt instructions to ignore it. Tenet offers a set of drop‑in configurations called agent‑jackstop that harden Cursor and Claude Code against this class of injection. The broader implication is that any MCP integration that returns externally influenced data can be exploited in the same way.
The incident highlights a gap in supply‑chain security for AI agents. Enterprises that rely on AI assistants to automate code fixes are now exposed to the same credentials that they already protect in CI/CD pipelines. The debate over responsibility—whether it lies with the error‑monitoring platform, the model vendor, or the agent runtime—remains unresolved. In the meantime, organizations are urged to review their Sentry DSN exposure, apply the available agent‑jackstop configurations, and consider runtime controls that gate commands sourced from external data.
The current situation is that the attack vector is known, a public fix is not yet in place, and the industry is evaluating how to incorporate runtime safeguards. Tenet’s open‑source mitigations are available, but no single party has yet released a comprehensive patch that closes the authorized‑intent chain. The next steps for vendors and enterprises will involve coordinated updates to Sentry’s ingest API, model‑vendor prompt‑handling logic, and agent runtimes to prevent malicious instructions from being treated as trusted guidance.
The attack’s simplicity is striking. An attacker first discovers a target’s Sentry Data Source Name (DSN). Because Sentry presents the DSN as a write‑only key that can safely live in front‑end JavaScript, it is frequently exposed on production sites, GitHub, or via passive reconnaissance tools such as Censys. With the DSN in hand, the attacker posts a single error event to Sentry’s ingest endpoint. The payload can carry arbitrary text, tags, and context fields, and Sentry acknowledges it with an HTTP 200 response.
Inside the AI agent, the malicious command is hidden in the event’s markdown‑formatted message and context fields. When the agent pulls unresolved Sentry issues through the Model Context Protocol (MCP), it receives the injected event as if it were a legitimate crash report. The agent’s internal prompt‑handling logic treats the event’s content as trusted guidance. In Tenet’s tests, the embedded command was an npx call that downloaded a package from the public npm registry. The package—labelled a security‑scan tool—executed with the developer’s own privileges on the local machine.
Once the command runs, the package can read environment variables, cloud configuration files, and credential stores. In controlled experiments, the attacker exfiltrated AWS access keys, GitHub tokens, and git credentials from the victim’s machine. The attack does not require any network intrusion or credential theft; it relies solely on the trust relationship between the agent and the data supplied by Sentry.
Tenet quantified the reach of the vulnerability. The researchers identified 2,388 organizations that expose a writable DSN, including 71 sites in the Tranco top‑1,000,000 list. Across separate validation waves, the team logged more than 100 confirmed executions in distinct organizations, and the attack succeeded in 85 % of the controlled tests. Victims ranged from a Fortune 100 technology company to CI/CD pipelines, Windows Subsystem for Linux (WSL) environments, and macOS and Windows workstations behind corporate VPNs.
Why the attack evades existing defenses is a key finding. Every step of the chain is authorized: the attacker never touches the victim’s infrastructure, the developer never approves any code, and the agent performs exactly what it was asked to do. As Tenet calls it the Authorized Intent Chain, traditional endpoint detection and response (EDR), web application firewalls (WAF), identity and access management (IAM), and network controls do not flag the activity. Even prompt‑layer defenses in the agents failed to block the payload when system prompts and skills instructed the model to ignore untrusted data.
Sentry’s response was swift but limited. The company acknowledged the issue on the same day Tenet released the findings and added a global content filter that blocks the specific string used in the proof‑of‑concept payload. However, the ingest endpoint remains open, and Sentry declined to fix the root cause. Tenet’s analysis indicates that the fix must reside in the agent runtime, where each action is evaluated before execution.
Model vendors reported partial mitigation. Claude Code, Cursor, and Codex all executed the injected command despite system‑prompt instructions to ignore it. Tenet offers a set of drop‑in configurations called agent‑jackstop that harden Cursor and Claude Code against this class of injection. The broader implication is that any MCP integration that returns externally influenced data can be exploited in the same way.
The incident highlights a gap in supply‑chain security for AI agents. Enterprises that rely on AI assistants to automate code fixes are now exposed to the same credentials that they already protect in CI/CD pipelines. The debate over responsibility—whether it lies with the error‑monitoring platform, the model vendor, or the agent runtime—remains unresolved. In the meantime, organizations are urged to review their Sentry DSN exposure, apply the available agent‑jackstop configurations, and consider runtime controls that gate commands sourced from external data.
The current situation is that the attack vector is known, a public fix is not yet in place, and the industry is evaluating how to incorporate runtime safeguards. Tenet’s open‑source mitigations are available, but no single party has yet released a comprehensive patch that closes the authorized‑intent chain. The next steps for vendors and enterprises will involve coordinated updates to Sentry’s ingest API, model‑vendor prompt‑handling logic, and agent runtimes to prevent malicious instructions from being treated as trusted guidance.
