Tenet Security’s Threat Labs uncovered a chain called agentjacking that exploits a forged error report in Sentry to trigger code execution in coding agents without malware or stolen passwords.

The core advice is to harden the runtime around the agent, since that layer makes decisions and is the most critical target for preventing injections.

A broad takeaway is that MCP integrations returning externally influenced data to agents can widen the attack surface as more tools connect through MCP.

The attack unfolds in six steps: identify a target DSN, post a crafted event, disguise a command as a resolution, steer the agent via MCP output, execute with the developer’s privileges, and exfiltrate secrets from environment variables and credential stores.

Tenet’s validation found thousands of injectable DSNs across organizations, including dozens in high-traffic sites, with multiple AI code assistants executing the injected payload.

Sentry acknowledged the issue but declined a source fix, proposing a middleware content filter and discussing mitigations centered on vendors rather than patching the core problem.

Tenet released agent-jackstop, open-source configurations to harden Cursor and Claude Code against this injection class, offering a practical defense starting point.

A DSN in Sentry is public and write-only, safe for humans but dangerous when AI agents read reports and can’t distinguish data from instruction.

The attack relies on Authorized Intent Chains, where every step is permitted, rendering traditional defenses like EDR, WAF, IAM, VPNs, and firewalls ineffective.