'Agentjacking' lets a public Sentry DSN hijack Claude Code, Cursor and Codex at 2,388 orgs

Tenet Threat Labs hit an 85% exploitation rate against AI coding agents using fake error reports; Sentry calls the flaw 'technically not defensible' at the platform.

A single fake bug report, posted to a publicly known Sentry DSN, is enough to make Claude Code, Cursor or Codex run attacker-chosen shell commands on a developer’s laptop. Tenet Threat Labs, which coined the technique “agentjacking,” says 2,388 organizations are sitting on valid injectable DSNs right now, and that its controlled testing against more than 100 targets succeeded 85% of the time.

The mechanism is almost embarrassingly simple. A Sentry DSN is a write-only credential meant to be public. When a coding agent queries Sentry over MCP and pulls back an error trail, an attacker’s prepended text, formatted to look like a “suggested fix,” reads as guidance the agent should follow. The agent can’t tell injected instruction from legitimate context. It just acts.

That collapses most of the perimeter people thought they had. EDR and WAFs don’t fire, because the agent is operating inside its authorized permissions. Network-restricted CI runners were still reached, since the payload arrives as data the agent was told to read. According to The Hacker News, a successful run can exfiltrate environment variables, Git credentials, private repository URLs and developer identities. Tenet says confirmed execution targets include a roughly $250 billion technology company, multiple Fortune 500s, and a cloud security vendor.

Tenet disclosed to Sentry on June 3, 2026, against Claude Code build 2-1-161 captured the day prior. Sentry acknowledged the same day, activated a global filter blocking one specific payload string, and declined a root fix, describing the flaw as “technically not defensible” at the platform level and deferring to model vendors. The Cloud Security Alliance corroborated the findings in a June 12 research note.

Tenet, founded by ex-Cisco AI Defense researchers Barak Sternberg and Nevo Poran, emerged from stealth alongside the disclosure with $6 million in seed funding led by The Westly Group. It open-sourced agent-jackstop, drop-in hardening configs for Cursor and Claude Code.

The structural read is the part worth sitting with. The industry shipped agents with tool access faster than it agreed on whose job it’s to sanitize the tools’ inputs, and Sentry’s answer (it’s not ours) is going to keep being the answer until somebody concedes it has to be someone’s.