Agentjacking Attack Exploits Sentry MCP to Hijack AI Coding Agents

Cybersecurity researchers at Tenet Security have uncovered a new attack class dubbed “Agentjacking” that tricks AI coding agents into executing arbitrary code on developer machines. The technique weaponizes Sentry, a popular open-source error-tracking and performance-monitoring platform, by exploiting the implicit trust AI agents place in Model Context Protocol (MCP) responses. Researchers Ron Bobrov, Barak Sternberg, and Nevo Poran described the flaw as “a critical architectural flaw at the intersection of Sentry’s event ingestion—which accepts arbitrary payloads from anyone with the DSN—and the Sentry MCP server, which returns this data to AI agents as trusted system output.”

The attack chain begins when a threat actor identifies a target’s Sentry Data Source Name (DSN), a public, write-only credential embedded in websites and applications. The attacker then submits a malicious error event to Sentry’s ingest endpoint via a POST request, embedding carefully formatted markdown in the message field and context key names. When tools like Claude Code or Cursor query Sentry via MCP—often in response to prompts such as “fix unresolved Sentry issues”—the injected payload renders as structured content visually indistinguishable from legitimate Sentry guidance. The agent interprets the attacker’s instructions as trusted diagnostic steps and runs the embedded code with the developer’s full system privileges.

A successful exploit can expose highly sensitive assets, including environment variables, Git credentials, private repository URLs, and developer identities, all without requiring phishing or prior server compromise. Developers concerned about credential exposure can use a password checker to audit leaked secrets, while teams can run a SSL/TLS checker to verify that their public-facing endpoints, including those leaking Sentry DSNs, are properly configured. Because the attacker never directly touches the victim’s infrastructure, the malicious instruction simply arrives disguised as a legitimate “Resolution” inside an ordinary error report.

The Tenet team found hundreds of organizations exposing Sentry DSNs in production frontends, magnifying the attack surface. Agentjacking stands apart from traditional exploits because it targets the trusted AI agent itself rather than the underlying application, and because the markdown injection is rendered so faithfully that the agent cannot differentiate malicious instructions from genuine platform guidance. Organizations should audit their public code for exposed DSNs, restrict which events MCP servers relay to coding agents, and review AI agent permissions—developers can also run a privacy checkup to assess broader exposure risks tied to their development environments.