One fake bug report hijacked a $250B company's AI coding agent. Then 100 more fell.

Tenet Security just proved your AI coding agent is your next breach vector.

A single fake Sentry error report — posted using a public DSN that sits in every website's JavaScript — hijacked Claude Code, Cursor, and Codex into running attacker-controlled code on developer machines.

85% success rate.
2,388 organizations exposed.
100+ confirmed agent executions.
A Fortune 100 company's agents were compromised in testing.

The attack works because AI coding agents cannot distinguish data from instructions. The attacker never breaches anything. Never phishes anyone. Never touches the target's infrastructure. They post a fake error to a logging service, and the agent reads the malicious payload as legitimate remediation guidance.

EDR doesn't see it. WAF doesn't see it. VPN doesn't see it. Every step in the chain is authorized. Tenet calls this the "Authorized Intent Chain" — the entire security model is built to catch unauthorized behavior, and this attack contains none.

Sentry acknowledged the disclosure on June 3. Their fix? A content filter blocking one specific payload string. The architectural flaw — public event ingestion feeding trusted output to AI agents — remains unfixed. Sentry called it "technically not defensible."

Audit your MCP integrations today. Every tool your AI agent connects to that returns externally-influenced data is an attack surface. If your coding agents have command-line access and read from logging, monitoring, or observability platforms, you are exposed right now.

This is not a Sentry bug. This is the new reality of agentic security. Every MCP integration is a potential command-and-control channel. The agent is the execution engine. Your telemetry is the delivery vector.

TITLE: One fake bug report hijacked a $250B company's AI coding agent. Then 100 more fell.
BODY:
Tenet Security just proved your AI coding agent is your next breach vector.

A single fake Sentry error report — posted using a public DSN that sits in every website's JavaScript — hijacked Claude Code, Cursor, and Codex into running attacker-controlled code on developer machines.

85% success rate.
2,388 organizations exposed.
100+ confirmed agent executions.
A Fortune 100 company's agents were compromised in testing.

The attack works because AI coding agents cannot distinguish data from instructions. The attacker never breaches anything. Never phishes anyone. Never touches the target's infrastructure. They post a fake error to a logging service, and the agent reads the malicious payload as legitimate remediation guidance.

EDR doesn't see it. WAF doesn't see it. VPN doesn't see it. Every step in the chain is authorized. Tenet calls this the "Authorized Intent Chain" — the entire security model is built to catch unauthorized behavior, and this attack contains none.

Sentry acknowledged the disclosure on June 3. Their fix? A content filter blocking one specific payload string. The architectural flaw — public event ingestion feeding trusted output to AI agents — remains unfixed. Sentry called it "technically not defensible."

Audit your MCP integrations today. Every tool your AI agent connects to that returns externally-influenced data is an attack surface. If your coding agents have command-line access and read from logging, monitoring, or observability platforms, you are exposed right now.

This is not a Sentry bug. This is the new reality of agentic security. Every MCP integration is a potential command-and-control channel. The agent is the execution engine. Your telemetry is the delivery vector.