Security researchers at Tenet Security disclosed a new attack class called "agentjacking" in which an attacker uses a public Sentry Data Source Name (DSN) to POST a crafted error event that includes a malicious "Resolution" instruction, causing AI coding agents to execute attacker-supplied commands on a developer's machine, according to Tenet Security's report. Tenet reports an 85% success rate in controlled tests against Claude Code, Cursor, and Codex, and says it found 2,388 organizations with publicly exposed DSNs. The Cloud Security Alliance and other reporting note the attack abuses the Model Context Protocol (MCP) telemetry flow and can bypass EDR, WAF, and IAM because agents run actions under the developer's own credentials. Tenet says it is open-sourcing mitigations, and the Cloud Security Alliance reports that Sentry acknowledged the disclosure and described comprehensive platform fixes as "technically not defensible."
What happened
According to Tenet Security's public writeup, researchers disclosed a new attack class they call "agentjacking," in which an adversary injects a malicious instruction into a Sentry error event and causes AI coding agents to run attacker-controlled commands on a developer's system. Tenet reports that the attack uses a public Sentry Data Source Name (DSN) to POST a crafted event whose "Resolution" section contains a shell command that mimics Sentry's own remediation text. Per Tenet, the team observed agent execution in controlled tests against Claude Code, Cursor, and Codex, with an 85% exploitation success rate and tests across 100+ agent instances. Tenet also reports locating 2,388 organizations with publicly exposed DSNs that could accept injected events.
Technical details
Editorial analysis - technical context: The attack exploits two protocol and trust assumptions common in modern agent stacks. The Model Context Protocol (MCP) lets agents fetch external telemetry and issue tool calls as part of a debugging or remediation workflow, and Sentry DSNs are write-only credentials intentionally exposed in frontend code to allow client-side error reporting. When an agent treats telemetry entries as authoritative diagnostic guidance, semantic prompt injection can translate a string in a log into local command execution. Tenet and the Cloud Security Alliance both note that because the agent performs authorized operations under the developer's identity, endpoint detection and network controls such as EDR, WAF, and IAM may not register an anomaly.
What Tenet and others tested and released
According to Tenet Security's blog post, the researchers demonstrated end-to-end execution where an injected Sentry event delivered a command that the agent later executed, enabling access to environment variables, AWS keys, GitHub tokens, and repository URLs in their tests. Tenet says it is publishing drop-in configuration mitigations for at least Cursor and Claude Code to reduce exposure. The Cloud Security Alliance report states that Sentry acknowledged the disclosure on June 3, 2026, and, quoting their statement, characterized comprehensive platform-level fixes as "technically not defensible," while deploying a content filter to block the specific payload string observed during the research period.
Context and significance
Agentjacking sits at the intersection of telemetry trust, agentic automation, and developer supply-chain risk. Multiple outlets and the CSA lab note that the attack is semantic rather than a classical software bug, because Sentry accepted a valid write and MCP returned authentic-looking data; the exploit occurs in the logic layer where agents integrate tool output into actions. The reported 2,388 exposed DSNs and the cross-agent success rate reported by Tenet make this relevant to organizations that run agentic coding workflows and ingest external logs into their developer agents. The attack path can reach CI/CD and cloud resources if credentials are available in the developer environment, per Tenet's findings.
What to watch
For practitioners: Observers will monitor whether agent vendors change default behaviors around executing tool-sourced instructions, whether MCP implementations adopt stronger provenance signals for telemetry, and whether Sentry or similar telemetry platforms add systemic mitigations beyond content filters. Sources to watch include vendor security advisories from the agent vendors named in Tenet's tests, updates to MCP specifications, and any broader disclosures about exposed DSNs. Tenet's open-sourced configurations are already available as an immediate mitigation for some agents, per Tenet's post.
Limitations and attribution
What is reported here reflects Tenet Security's demonstrations and the Cloud Security Alliance's analysis; public coverage by outlets such as The Next Web, ByteIota, and PointGuard AI summarize those findings. The demonstrations were conducted in controlled tests and Tenet frames the result as a demonstrated attack pattern rather than a reported wide-scale breach. The Cloud Security Alliance report attributes the quoted assessment of Sentry's remediation posture to Sentry's disclosure.
Editorial analysis
Observed patterns in similar disclosures: When toolchains expose write-only telemetry sinks and agents treat external text as actionable instructions, the resulting attack class often requires changes at multiple layers: telemetry producers, agent policy defaults, and operator hygiene around secret management. Hardening only one layer tends to leave residual risk. Organizations that ingest external logs into agentic tools face a nontrivial review task to enumerate telemetry inputs and apply provenance or sanitization controls.
Practical takeaways for security and developer teams
For practitioners: Short-term mitigations include removing publicly visible DSNs from client code where possible, rotating any secrets discovered in developer environments, applying Tenet's published hardening configs where supported, and treating telemetry as untrusted input in automation workflows. Observability and SRE teams should map which agents query which telemetry sources and add explicit provenance checks or allowlisting before an agent can escalate from reading context to executing local commands.
Scoring Rationale #
The demonstrated attack enables remote code execution in developer environments by abusing telemetry and agent trust, affecting major agent products (Claude Code, Cursor, Codex) and thousands of exposed DSNs. The story is operationally urgent for developer security teams but reflects controlled test demonstrations rather than a confirmed mass breach.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.