Agentjacking just hijacked Claude Code, Cursor, and Codex at 85% success rate. 2,388 orgs are exposed.

Your AI coding agent trusts Sentry error reports as legitimate system output.

Attackers just proved that trust is a weapon.

Tenet Security disclosed "Agentjacking" on June 12 — an attack that injects malicious shell commands into Sentry error events using only a public DSN credential. No breach. No authentication. One HTTP POST.

The attack chain is devastatingly simple:

Step 1: Attacker discovers your Sentry DSN from browser JavaScript or Censys. It's public by design.

Step 2: Attacker POSTs a crafted error event with a fake "## Resolution" section containing an npx command.

Step 3: Your AI coding agent queries Sentry via MCP, retrieves the injected event, and interprets the attacker's command as legitimate diagnostic guidance.

Step 4: Agent executes the npx command with your full system privileges. Package harvests AWS keys, GitHub tokens, npm credentials, Docker config, and .env files. Exfiltrates via HTTPS POST.

85% exploitation success rate across Claude Code, Cursor, and Codex.

2,388 organizations confirmed exposed. 71 in the Tranco top-1M. Zero cost to attack.

Sentry was disclosed on June 3. Their response: the issue is "technically not defensible" at the platform level. They deployed a content filter blocking the specific npx string from the proof of concept. Any variant bypasses it.

The Cloud Security Alliance classified this as a concrete instance of a broader MCP vulnerability: language model agents cannot enforce trust boundaries between retrieved data and executable instructions.

This generalizes beyond Sentry. Any MCP server that returns data from an endpoint with less-restricted write access than read access presents an equivalent injection surface.

The "Authorized Intent Chain" bypasses every perimeter control: EDR, WAF, IAM, VPN, Cloudflare. You authorized the agent. The agent authorized the MCP connection. The MCP connection returns data from a service you integrated. Every step is authorized. Nothing alerts.

Immediate actions:
1. Disable Sentry MCP integrations in all AI coding agents
2. Search GitHub and Censys for your Sentry DSN strings — rotate any found
3. Configure AI agent allow-lists requiring human approval for shell commands from MCP tool responses
4. Deploy MCP security tooling to inspect tool responses before agents act
5. Alert on AI agent subprocess spawning that accesses ~/.aws/config, ~/.npmrc, ~/.docker/config.json
6. Brief development teams: treat agent-suggested npx commands from issue trackers as red flags

The attacker never touches your infrastructure. The malicious instruction arrives disguised as legitimate resolution guidance from a service you deliberately connected to your AI workflow.

Audit your MCP integrations today. The attack surface is your trust model.

SOURCE: https://aviatrix.ai/threat-research-center/agentjacking-attack-ai-coding-agents-2026/
VERIFIED: Tenet Security (original research), The Hacker News, Cloud Security Alliance, InfoSecurity Magazine, Decryption Digest
SIGNAL: First documented large-scale attack class that converts developer AI coding tools into unwitting attack vectors via MCP trust model exploitation. 85% success rate across major agents. Sentry declined structural fix.