Tenet Threat Labs demonstrated something uncomfortable in June 2026: a single fake error report, sent through nothing but public Sentry APIs, was enough to hijack AI coding agents into running attacker-controlled code on developer machines. They found 2,388 organizations exposed, and confirmed agent execution at more than 100 of them - including at least one Fortune 100 company.
No malware. No stolen credentials. No breach of any system. Just a bug report that your agent decided to act on.
This is the Agentjacking attack, and if your team uses Claude Code, Cursor, or Codex - which is most teams writing software with AI assistance right now - it is worth understanding before you hand your agent the next pile of error logs.
What Agentjacking Actually Does
The attack starts with Sentry, a widely used error-tracking tool. Sentry lets any application send it error reports using a public key called a DSN, which sits openly in website code by design. An attacker POSTs a fake error to that endpoint.
AI coding agents including Claude Code, Cursor, and Codex retrieved the injected events via MCP, did not distinguish them from legitimate application errors during Tenet Security's testing, and executed attacker-controlled commands with the developer's own system privileges.
Tenet's proof of concept showed an AI agent executing a command to download and run a malicious npm package, demonstrating a path to remote code execution with the developer's local permissions.
The technical root of this is straightforward but worth naming precisely: "The attack exploits a critical architectural flaw at the intersection of Sentry's event ingestion (which accepts arbitrary payloads from anyone with the DSN) and the Sentry MCP server (which returns this data to AI agents as trusted system output)."
The agent sees Sentry output as authoritative. Error reports come back through the MCP connection, land in the agent's context, and the agent treats the text inside them - including any instructions an attacker embedded - as legitimate guidance. An attacker would inject malicious commands into Sentry error events which are impossible to distinguish from the tool's own remediation guidance.
Why Standard Security Controls Miss It
The scariest part is what does not catch it. The attack slips past EDR, firewalls, IAM, and VPNs, because nothing in the chain is unauthorized. Tenet calls it the "Authorised Intent Chain." Prompts do not help either - the agents ran the code even when told to ignore untrusted data.
This is the specific challenge that AI coding agents introduce at the tooling layer. The agent is operating with the developer's own permissions. It is doing something the developer would plausibly do: investigating an error. The commands it runs look like ordinary debugging steps. Nothing in a conventional security stack is watching for that.
The flaw is not in Sentry alone. It is in how agents handle any outside data, so the same risk runs through support tickets, GitHub issues, and documentation. Any external content that flows into an agent's context through an MCP-connected service is potential attack surface - Sentry just happened to be the one Tenet demonstrated against.
What Sentry Said, and Why That Answer Is Incomplete
Tenet disclosed to Sentry on June 3, 2026 as soon as the chain was confirmed. Sentry's leadership responded the same day - acknowledging the issue but declining to fix it at the root, calling it "technically not defensible" and noting that model vendors run middleware against it. During the research period, Sentry activated a global content filter blocking a specific payload string - detecting the activity without addressing the cause.
That is an honest position from Sentry, but it does not close the risk for your team. A content filter on one specific payload string is not a defense against a class of attack - it is a one-move patch on an approach that has unlimited variations.
For defenders, the Agentjacking work signals a new era in AI supply chain risk, where the AI agent itself becomes the primary attack surface. Security teams need to reassess which tools their AI agents interact with and whether those tools accept untrusted or anonymous input.
What This Means for Teams Using AI Coding Agents Today
The practical change this research demands is not dramatic, but it requires a new mental model. Your coding agent is not a contained tool - it is an actor that reads from, and executes against, whatever surfaces in its context window. By mid-2026, MCP server deployments span error trackers, version control platforms, cloud management consoles, package registries, and internal knowledge bases. The practical consequence is that an AI coding agent's "attack surface" now includes every MCP-connected service and, critically, every data source surfaced through those services.
Three things worth doing now:
- Audit your agent's MCP connections. Every server you have connected is a potential ingestion point for external content. Map what each one returns, and ask whether that content could contain attacker-written text.
- Add a review step between external telemetry and agent execution. If your workflow is: error fires → agent investigates → agent runs fix, add a human checkpoint before the agent acts on anything that came from outside your own code. A teammate like Beagle can surface that kind of async checkpoint in the Slack or Teams thread where the debugging conversation is already happening.
- Treat the DSN as a credential worth rotating. If your Sentry DSN is embedded in public JavaScript - which it almost certainly is - assume it can be found. That does not mean the attack is inevitable, but it means your agent should not be the only gate between that endpoint and your filesystem.
The deeper point is not really about Sentry. The reason this is alarming beyond the raw numbers: developers have trained themselves to trust their coding agents. When Claude Code tells you to run a command, you run it. That trust is exactly the surface Agentjacking exploits.
Building good habits around AI coding agent security now - before the attack surface grows wider - is the kind of work that does not feel urgent until it is. Agentjacking is a useful forcing function.