Someone at your company opened Cursor this morning. The agent saw an unresolved error in Sentry — normal, it checks Sentry all the time. The agent read the error. The error contained instructions. The agent followed them: exfiltrate the AWS credentials, clone the private repositories to an attacker-controlled server, schedule a cron job that will run again tomorrow.

That scenario is not hypothetical. Tenet Security tested it against over 100 real-world targets and achieved an 85% success rate against the most widely used AI coding agents: Claude Code, Cursor, and Codex. They found at least 2,388 organizations with injectable credentials exposed via GitHub search alone.

They named the attack class agentjacking. They disclosed it to Sentry on June 3, 2026. Sentry acknowledged the issue and declined to fix it at the root, calling it "technically not defensible" at the platform level.

How it works

Sentry assigns every project a Data Source Name, or DSN — a credential used to send error events to the platform. The DSN is intentionally public and write-only: it appears in frontend JavaScript bundles, in browser dev tools, in GitHub search results. That's by design. You're not supposed to treat it as a secret.

The problem is what happens when an AI coding agent is connected to Sentry via MCP. MCP — the Model Context Protocol — is the mechanism that lets agents talk to external tools. When the agent queries Sentry for unresolved errors, it reads the event content. And because it's an AI that takes instructions, it acts on whatever those events say.

An attacker who knows your Sentry DSN — discoverable in about 30 seconds via grep -r "sentry.io" . --include="*.js" or a GitHub code search — can POST a malicious event to your project. The event looks like a legitimate bug report. It contains instructions. Your AI coding agent reads those instructions and executes them as if they came from your own codebase or your system prompt.

One malicious instruction can steal CI/CD pipeline credentials, access private source code repositories, compromise cloud infrastructure, and establish persistent access. The attacker doesn't need to find a zero-day. They need to POST a Sentry event.

Why this is different from a normal jailbreak

Most AI security research is about tricking a model into saying something it shouldn't. Agentjacking is about what the model does.

AI coding agents aren't chatbots. They have shell access. They have filesystem access. They're connected to Git repositories, cloud provider credentials, CI/CD pipelines. The threat model for a coding agent running in your environment is closer to a developer with root access than it is to a chat window.

Indirect prompt injection — injecting malicious instructions into content the agent reads, rather than the system prompt — has been known about in the research community for a while. What Tenet Security showed is a scalable, low-effort version of it targeting a tool (Sentry) that millions of development teams already trust and have already connected to their agents.

The attacker doesn't need access to your systems. They need your public DSN and a POST request. That's not sophisticated. That's a shell script.

Source spread

• Tenet Security — Agentjacking: Coding Agents with Fake Sentry Errors — [safety] Primary research. Full attack chain, proof-of-concept, 2,388 exposed org count.
• Cloud Security Alliance Research Note, June 12 — [safety] Independent CSA write-up. Good for the 85% figure and disclosure timeline.
• The Hacker News — [builder] Technical overview, includes Sentry's "not defensible" response.
• Infosecurity Magazine — [builder] Summary of affected tools and the impact scope.

Pros & cons

What's fair:

• The attack is real and reproducible in live production environments, not just lab conditions.
• The disclosure was handled responsibly. Tenet notified Sentry before publishing.
• The core insight generalizes: any MCP-connected tool that accepts write-open input is a potential injection surface. Sentry is the first well-documented case, not the last.

What deserves nuance:

• "2,388 organizations exposed" counts orgs with discoverable DSNs. Not every one of those orgs has an AI coding agent querying that project's Sentry data via MCP. The actually-exploitable population is smaller than the headline number suggests, though Tenet's 85% live success rate across tested orgs is still concerning.
• Sentry calling this "technically not defensible" is accurate about the root cause. It does not mean nothing can be done. Rate-limiting on event POST rates, anomaly detection on event content, and MCP permission scoping are all mitigations that don't require changing the DSN architecture.

Further reading

• Tenet Security — Agentjacking: Coding Agents with Fake Sentry Errors — primary research, full attack chain
• Cloud Security Alliance Research Note — Agentjacking MCP Sentry Injection, June 12 — independent confirmation, 85% success rate sourced here
• The Hacker News — Agentjacking attack overview — good summary with Sentry response
• Pinggy — technical walkthrough — deep dive on the MCP injection mechanism
• DevOps.com — Sentry errors into code execution — DevOps framing and mitigation context