INDUSTRY · JUNE 29, 2026 · 7 MIN READ

Agentjacking and the Identity Gap Your IAM Doesn't Cover

Agentjacking has moved from research to operations: 2,388 organizations exposed, NVIDIA's SkillSpector trending, and a new agent-identity class that joiner-mover-leaver workflows don't reach.


Agentjacking and the Identity Gap Your IAM Doesn't Cover

Agentjacking is no longer a research demo. As of June 22, 2026, Tenet Security and CSA Labs found roughly 2,388 organizations exposed to a Sentry-MCP prompt injection path, and NVIDIA's open-source scanner SkillSpector reached 7,600 GitHub stars after finding that 26.1% of agent skill files contain security vulnerabilities. The same week, Anthropic shipped Claude Tag , a feature that quietly creates a new identity class in Slack that most IAM programs do not govern. The attack surface and the identity gap arrived together.

How the Sentry-MCP attack works#

The mechanism is precise. Your Sentry DSN is a public key, embedded by design in client-side JavaScript. An attacker POSTs a crafted crash report to your Sentry project using that DSN. When a developer asks Claude Code, Cursor, or Codex to "fix unresolved Sentry issues," the agent reads the attacker-controlled payload and executes the embedded instructions. The agent's own credentials sign every resulting action. No exploit code touches your network; the attacker issues instructions to an identity that already holds your tokens.

The exploitation rate cited in the topic framing , 85% , reflects how reliably agents follow injected instructions when there is no structural barrier between data retrieval and code execution. The attack requires no vulnerability in the agent model itself. It requires only that the agent read untrusted content and hold broad enough credentials to act on it. Both conditions are the default in most developer toolchains today.

The skill-file surface most teams are not scanning#

NVIDIA's SkillSpector targets a specific file class: the CLAUDE.md, AGENTS.md, and SKILL.md files that tools like Claude Code and Codex CLI load automatically at startup. NVIDIA's own research puts the defect rate at 26.1%, with 5.2% showing likely malicious intent. That is roughly one in four skill files carrying something a scanner can catch before it runs.

The scanner reached #3 on GitHub's Python trending list. Cisco shipped a parallel capability the same week. Both were bypassed within days by a fake marketplace skill, per a June 24 disclosure on Grid the Grey, which is instructive: static file scanning is necessary but not sufficient. The injection vector is not confined to known-malicious files. It arrives through any channel an agent treats as trusted data, including Sentry events, issue tracker tickets, and PR descriptions.

Snyk's scan of nearly 10,000 developer environments, published June 23, found over half of developers have MCP servers installed, with 1 in 12 of those setups containing a high or critical security flaw. One environment had more than 80 MCP servers running simultaneously, each a live connection to production systems with no security controls between them.

The identity gap Claude Tag just made visible#

Anthropic launched Claude Tag on June 23, 2026, available in beta for Claude Enterprise and Team customers on Slack. The governance implication is worth reading carefully. Until Claude Tag, an agent operating in a user's session borrowed that user's access, meaning its activity was logged under a human identity. Claude Tag separates the two: the agent now holds its own service account credentials, scoped to channels via Access bundles, with spend metered to the organization.

That separation is correct security practice. The problem is what happens before anyone decides to manage it. The agent arrives in production before the ownership question is answered. Analysts project that by 2029, half of all successful agent attacks will weaponize the agent's own access rather than any flaw in the underlying model. Over-permissioned standing credentials are the exposure; the injection is just how an attacker reaches them.

The joiner-mover-leaver workflow your identity team runs was designed around humans, and to a lesser extent, static service accounts with predictable behavior. An agent that reasons, calls tools at runtime, and consumes untrusted natural language does not fit either category. PurpleSec's June 20 analysis puts the non-human-to-human identity ratio at 144:1 in some enterprise environments, up 56% in a single year. The agent-specific subset is the fastest-growing and least-governed portion of that inventory.

Where the attack pipeline meets code review#

The exploitation path for most engineering teams runs through a specific sequence: an attacker poisons a data source the agent trusts (a Sentry event, a GitHub issue, a Slack message), the coding agent reads it during a normal development workflow, and the resulting code change reaches a PR. By the time it does, the malicious instruction has already been acted on. A PR review that looks only at the diff will not surface the origin.

This is the layer where autonomous code review adds a detection signal that pre-deployment scanners miss. Hyrax reads the full repository and the incoming PR together, applying six agent domains including security and code quality, running 13 verification steps before the PR is surfaced. A code change that injects a new outbound HTTP call, adds an unexpected credential-handling path, or silently modifies an access control check carries a different signature than ordinary refactoring. The review layer is positioned to see that signature precisely because it sits after the agent has acted, not before.

The prior post on five AI-code failures your CI does not catch covers several of the mechanical patterns, but agentjacking adds a new category: changes that are syntactically valid, pass tests, and reflect the developer's stated intent, but originated from an instruction the developer never issued.

What to configure now#

Four controls close the most exposed surface, based on the pattern the dossier documents across multiple disclosures this week.

Scan your CLAUDE.md, AGENTS.md, and SKILL.md files in CI before they run. SkillSpector is available, free, and already covers the categories NVIDIA's research identified. Add it as a pre-commit and CI step. It will not catch everything, but it catches 26.1% of defective skill files before they execute.

Scope MCP server credentials to the minimum required tool surface. One environment running 80 MCP servers simultaneously is not an outlier , Snyk found it in a real scan of 10,000 environments. Each server is a standing credential. Audit what is installed, remove what is unused, and replace long-lived tokens with short-lived equivalents where the platform supports it.

Give every Claude Tag agent a named human owner before the Access bundle is provisioned, not after. A visible identity with no owner is not progress; it is the same risk made legible. The access decision is made at provisioning time, and a broad bundle issued under time pressure will outlive the task it was created for.

Add a review step that treats the PR origin as signal, not just the diff. When a PR arrives from a coding agent workflow that consumed external data sources , issue trackers, error monitoring, Slack channels , the review process should include checking whether the change is consistent with the explicitly stated task. That check does not require new tooling; it requires treating agent-authored PRs as a distinct category with a distinct review posture.

The Drift OAuth breach of August 2025 was contained by revoking all tokens in a single operation. Build that kill switch before the incident, not during it.

Hyrax is live at hyrax.dev.


Sources

  1. 01pondero.ai (agentjacking)
  2. 02pondero.ai (SkillSpector)
  3. 03zencoder.ai
  4. 04springvanta.com
  5. 05unosecur.com
  6. 06purplesec.org
  7. 07promptql.io
  8. 08therouter.ai
  9. 09devfortress.net
  10. 10gridthegrey.com