Sentry just refused to fix a flaw that hijacks AI coding agents 85% of the time

Security researchers at Tenet Security found a way to turn your AI coding agent into a remote code execution engine.

No malware. No stolen credentials. No breach.

Just a fake bug report.

The attack — called Agentjacking — exploits Sentry's public error ingestion endpoint. Anyone can POST a fake error. The payload hides malicious commands formatted to look exactly like Sentry's own remediation advice.

When a developer asks their AI agent to "fix unresolved Sentry issues," the agent fetches the poisoned data via MCP, treats it as trusted, and runs the attacker's code.

85% success rate across Claude Code, Cursor, and Codex.

2,388 organizations exposed. From a $250B enterprise down to a cloud-security vendor.

The payload reaches environment variables, AWS keys, GitHub tokens, git credentials, and private repository URLs. From there, CI/CD pipelines and cloud infrastructure follow.

EDR didn't catch it. Firewalls didn't catch it. VPNs didn't catch it. Even explicit prompts to ignore untrusted data failed. Tenet calls it the "Authorized Intent Chain" — every step in the chain is authorized. Nothing is technically unauthorized.

Here's the part that should keep CISOs up at night.

Tenet told Sentry on June 3. Sentry acknowledged the problem. Then declined to fix it at the root, calling the attack class "technically not defensible." They added a content filter for one specific payload string. Symptom treated. Cause ignored.

The vulnerability isn't in Sentry alone. It's in how agents handle any external data. Support tickets. GitHub issues. Documentation. If your AI agent reads untrusted input and acts on it, this same attack pattern works.

Audit every MCP integration your developers use today. Every tool your agents connect to is now a potential command-and-control channel. The attack surface isn't the network anymore — it's the agent's decision to act.

SOURCE: https://thenextweb.com/news/agentjacking-ai-coding-agents-sentry
VERIFIED: Tenet Security blog (June 9), Infosecurity Magazine (June 11), The Hacker News (June 12)
SIGNAL: Enterprise AI agents are now the attack vector. Sentry's refusal to fix at root means every MCP integration is a potential RCE channel. CISOs must audit agent-to-tool trust chains immediately.