Tenet Security Reveals Agentjacking Exploit Against Coding Agents

Tenet Security published a technical writeup demonstrating a new attack class it calls "Agentjacking," which injects crafted error events into Sentry and uses Model Context Protocol (MCP) integrations to get AI coding agents to execute attacker-controlled commands, per Tenet Security's blog post. Reporting by Infosecurity Magazine and The Hacker News confirms the chain: an attacker obtains a target's Sentry DSN, posts a malicious event to Sentry's ingest endpoint, and the malicious event is returned via MCP as what appears to be Sentry system guidance. Infosecurity quotes Tenet: "The danger lies in this implicit trust," describing how an agent cannot distinguish injected events from legitimate diagnostic output.

Tenet's report explains the core steps:

• •identify a target's Sentry DSN, a public, write-only credential that Sentry documents as safe to embed in frontend JavaScript (per Infosecurity)
• •send a POST to Sentry's ingest endpoint containing a crafted error event whose message and context fields include carefully formatted markdown or guidance
• •when an AI coding agent queries Sentry via an MCP-enabled tool, the injected event is returned and rendered indistinguishable from Sentry's own remediation notes
• •the agent interprets and executes the instructions, which run with the developer's local privileges, per Tenet and The Hacker News

Tenet confirmed 85% exploitability across more than 100 real-world targets, including Claude Code, Cursor, and Codex, per Infosecurity Magazine. The researchers also found at least 2,388 organizations carrying injectable DSNs. Tenet notes that once a payload is crafted it could be injected into thousands of projects simultaneously, and the attack bypasses existing security tools like EDR and web-app firewalls because there is nothing malicious to detect in transit.

Agents that integrate external telemetry through MCP or similar machine-consumable channels implicitly trust the provider's structured output. Industry observers describe this as a variant of indirect prompt injection where the attack surface is not raw web content but developer telemetry APIs. For practitioners, the consequence is that instrumentation endpoints accepting unauthenticated or publicly exposable inputs become high-value attack conduits if their responses are fed back into automation without additional provenance checks.

Public reporting frames Agentjacking as a supply-chain and orchestration-layer risk because it requires no phishing or prior compromise of the developer's infrastructure. The practical impact reported across sources includes potential exfiltration of environment variables, Git credentials, private repository URLs, and other secrets accessible to the executing process, per The Hacker News and Infosecurity Magazine. A single crafted payload could compromise CI/CD pipeline credentials, access private source code repositories, or establish persistent access, per Tenet.

Observers will monitor whether agent vendors add provenance checks, output source labeling, or safe-execution sandboxes before executing fetched guidance; whether MCP implementations change how they surface system templates versus user-supplied content; and whether telemetry providers alter how DSNs, ingest endpoints, or event rendering treat untrusted input.

Treat machine-readable developer telemetry as part of your threat model. Instrumentation endpoints that accept public inputs should be assessed for whether their outputs are consumed by automation with code-execution capability. Where agents run developer tasks, adding provenance metadata, stricter input sanitization, or interactive approval gates can reduce the direct execution pathway described in Tenet's demonstration.