“The danger lies in this implicit trust. When an AI agent queries Sentry for unresolved errors, it receives the response and acts on it – just as a developer would,” Tenet explained in a blog post describing what it calls a new class of attack: “agentjacking.”
Tenet’s step‑by‑step attack methodology
Tenet Security laid out a detailed chain of actions that, together, can trick AI coding agents into executing arbitrary code on developers’ machines. The sequence begins with an attacker locating a target’s Sentry DSN — a public, write‑only credential that Sentry documents as safe to embed in frontend JavaScript. Using that DSN, the attacker posts a malicious error event to Sentry’s ingest endpoint; no authentication beyond the DSN is required.
The injected event contains “carefully formatted markdown” placed in the message field and context key names. When returned to an AI agent via Sentry’s MCP server, the markdown is rendered as structured content that is visually identical to Sentry’s system template. If a developer instructs their AI coding agent to “fix unresolved Sentry issues” or similar, the agent queries Sentry via MCP, receives the malicious event, and — because it cannot verify whether an event originated from a real crash or an attacker — executes the embedded instructions. The executed code runs with the developer’s full privileges.
Sentry DSN: a public, write‑only credential that enables injection
Central to the attack is the Sentry DSN. Tenet emphasized that the DSN is “intentionally public and embedded in frontend JavaScript,” which removes the need for phishing or other classic social‑engineering steps. That intentional exposure allows a single crafted payload to be injected into thousands of projects simultaneously, because the same pattern of DSN usage appears across many frontend codebases.
Testing and scale: real‑world results from Tenet’s experiments
Tenet tested the technique against over 100 real‑world targets and reported an 85% success rate across the most popular AI coding agents on the market, naming Claude Code, Cursor and Codex among those evaluated. In their assessment, Tenet found at least 2,388 organizations exposed with valid, injectable DSNs.
Because the injected content is delivered through a legitimate monitoring and error‑reporting channel, the attack can be mounted at scale: Tenet warned that agents “can’t tell real from fake guidance,” meaning a single instruction could be propagated broadly.
Consequences: bypassing detection and the range of potential impact
Tenet’s report stresses two compounding dangers. First, the attack bypasses existing security tools such as endpoint detection and response (EDR) and web application firewalls because “there’s nothing malicious to detect” in the monitoring‑tool payload itself. Second, agents executed the payload even when prompted to ignore untrusted data, demonstrating how agent behavior can defeat simple vetting prompts.
The report lists concrete actions a single malicious instruction could accomplish if executed by an agent with developer privileges: steal CI/CD pipeline credentials, access private source code repositories, compromise cloud infrastructure, and establish persistent access.
What this means for developers, security leaders, and adversaries
- Developers and security teams: Tenet’s account frames AI coding agents’ implicit trust in observability platforms as a new attack surface tied directly to developer workflows. The attack path depends on agents querying Sentry for unresolved errors and acting on the returned guidance.
- Security leaders and procurement decision‑makers: The report concludes with a call to action: “Security leaders must recognize that MCP integrations are the next frontier for software supply chain attacks. It is crucial to begin evaluating: which tools your AI agents connect to, whether those tools return untrusted data, and what controls exist to prevent injected data from triggering code execution.”
- Adversaries and threat actors: The combination of public DSNs, high agent success rates in tests, and the ability to bypass EDR and web app firewalls creates an attractive operational opportunity: scaleable injection into error and monitoring channels that look legitimate to automated assistants.
Tenet’s disclosure frames agentjacking as an architectural problem at the intersection of observability platforms and autonomous coding assistants. The report’s specifics — public DSNs, MCP delivery, a high success rate across named agents, and the list of possible post‑compromise actions — present a compact but stark ledger of risk that organizations must now evaluate against the convenience of AI‑driven remediation.
