One fake Sentry bug report hijacked AI coding agents at 100+ companies. Your EDR can't see it.

Tenet Security just proved that a single fake error report can turn Claude Code, Cursor, and OpenAI Codex into remote code execution vectors.

The attack is called Agentjacking.

Here's how it works:

Attackers find your Sentry DSN — the public credential embedded in your frontend JavaScript. It's exposed by design.

They submit a fake error report with Markdown injection disguised as a legitimate "Resolution" section.

When your developer asks their AI coding agent to investigate the issue through Sentry's MCP integration, the agent reads the fake report as trusted context and executes the attacker's command.

85% success rate across leading AI coding agents.

100+ organizations ran Tenet's validation code — including a Fortune 100 tech company valued at ~$250B.

The devastating part: every step in the chain is authorized. EDR sees nothing. Firewalls see nothing. WAFs see nothing. Sentry is used as designed. DSNs are public by policy. The npm package is fetched over standard channels.

Tenet calls this the "Authorized Intent Chain" — the prevailing security model catches unauthorized behavior, and this attack contains none.

Sentry's response: the issue is "technically not defensible" at the ingestion layer. They deferred mitigation to model vendors.

This is not a single-vendor bug. Every MCP integration that returns externally influenced data to AI agents carries this risk. Current models cannot reliably distinguish descriptive data from embedded instructions.

Audit every MCP-connected tool in your development pipeline today. If your AI coding agent touches Sentry, Datadog, or any observability platform that accepts untrusted input, you are exposed. The attack surface is not your code. It is your agent's context window.

SOURCE: https://hackread.com/agentjacking-fake-bug-report-hijack-ai-coding-agents/
VERIFIED: CyberSecurityNews (June 13, 2026), Hackread (June 18, 2026), Tenet Security blog post
SIGNAL: AI coding agents are now the attack surface. Your EDR was built for unauthorized behavior — Agentjacking contains none.