A single fake Sentry error just hijacked Claude Code, Cursor, and Codex across 2,388 organizations. No breach required.

Tenet Security just documented an attack class they're calling "agentjacking."

One fake error report. One public Sentry key. That's all it takes to turn your AI coding agent into an attacker's remote shell.

85% success rate across Claude Code, Cursor, and Codex. 100+ confirmed executions across separate organizations. One captured environment held a live AWS secret access key.

Here's why this matters.

The Sentry DSN — the credential that makes this attack work — is designed to be public. It sits in the JavaScript source of thousands of production websites. No breach. No stolen credentials. No exploit in the traditional sense.

The attacker sends one crafted error event to Sentry's ingest endpoint. The payload contains markdown formatted to look exactly like Sentry's own remediation guidance. When your developer asks their AI agent to "fix unresolved Sentry issues," the agent queries Sentry through MCP, receives the injected event, and executes the attacker's command with the developer's own system privileges.

Your DLP didn't trigger because no data left the network through traditional channels. Your EDR didn't fire because the agent ran the command natively. Your SIEM logged it as a legitimate tool interaction.

Sentry acknowledged the disclosure on June 3. Their fix? A string-match filter on the specific payload. Not the architecture. Not the trust model. When Tenet asked for a root-cause fix, Sentry said the problem was "technically not defensible" at the platform level.

Every MCP integration your developers have wired into their agents — Sentry, GitHub, Jira, any external service that returns data — carries this same exposure. The agent cannot distinguish between data authored by your application and data authored by an attacker. It treats all MCP responses as authoritative.

Audit every MCP connection your engineering org has enabled today. If any external service returns content your agents execute without inspection, you have this exact vulnerability. Deploy Tenet's open-source agent-jackstop configs for Cursor and Claude Code immediately. Treat every MCP integration with the same scrutiny you apply to third-party libraries in your supply chain.

SOURCE: https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/
VERIFIED: Tenet Security primary disclosure (June 17, 2026), The New Stack (June 21, 2026), Cloud Security Alliance Lab Space (June 12, 2026)
SIGNAL: This is the first documented real-world attack class that weaponizes MCP's trust model against enterprise AI coding tools. Sentry's refusal to fix the architecture means every organization using MCP integrations is exposed until they implement their own controls.