'Agentjacking' turns Sentry error reports into RCE against Claude Code, Cursor and Codex
Tenet Threat Labs found 2,388 organizations with injectable DSNs and an 85% exploitation rate against the major AI coding agents.
A single unauthenticated HTTP POST to a public Sentry endpoint can coerce Claude Code, Cursor and Codex into downloading and executing attacker-controlled code on a developer’s machine, according to research published June 12 by Tenet Threat Labs. The class of attack, which Tenet calls “agentjacking,” lands at the intersection of two design decisions that each looked reasonable in isolation: Sentry’s DSNs are write-only credentials deliberately embedded in frontend JavaScript, and the Sentry MCP server passes event data to coding agents as trusted output.
Trusted output is the load-bearing phrase. An attacker who scrapes a target’s JS, queries Censys for ingest.sentry.io subdomains, or greps GitHub’s public index can submit a fake error whose stack trace contains Markdown instructions. The agent reads the “error,” follows the instructions, and installs a malicious npm package with the developer’s local permissions. Tenet identified 2,388 organizations with injectable DSNs and tested more than 100 of them, reporting an 85% exploitation rate. Confirmed victims ran from independent developers up to a Fortune 100 technology firm. Every payload self-identified as a Tenet scan via a custom header.
What makes the finding structurally awkward, rather than just embarrassing, is Tenet’s claim that conventional controls don’t apply: “The attack bypasses EDR, WAF, IAM, VPN, Cloudflare, and firewalls — because there is nothing malicious to detect. Every action in the chain is authorized.”
Tenet disclosed to Sentry on June 3. Sentry acknowledged the issue, declined a structural fix as “technically not defensible” at the platform level, and shipped a narrow content filter targeting the PoC payload string. Tenet has open-sourced agent-jackstop, drop-in hardening configs for Cursor and Claude Code.
The disclosure coincides with Tenet emerging from stealth on a $6 million seed led by The Westly Group with MizMaa Ventures. Co-founders Barak Sternberg and Nevo Poran previously built Cisco’s AI Defense research team and are Unit 8200 alumni; researcher Ron Bobrov authored the writeup. The product roadmap and the threat model now share the same premise: agent ecosystems inherit every trust boundary their tools forgot to draw.
Sources
- https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/
- https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
- https://www.securityweek.com/tenet-security-emerges-from-stealth-with-6-million-seed-funding/
- https://www.scworld.com/brief/agentjacking-attack-exploits-ai-coding-tools-with-fake-error-reports
- https://siliconangle.com/2026/06/17/ex-cisco-researchers-launch-tenet-security-lock-rogue-ai-agents/