Agentjacking is operational: 2,388 orgs, 85% hit rate

Tenet Security's June 17 disclosure confirmed that a single forged Sentry error event achieves an 85% exploitation rate against Claude Code, Cursor, and Codex across more than 100 organizations in controlled testing. The attack requires no stolen credentials, no phishing, and no breach of any target system. The entry point is a public write-only key already sitting in your frontend JavaScript.

What the attack actually does#

The Sentry DSN is intentionally public. Sentry documents it as safe to embed in frontend code. Any attacker can POST a crafted error event to the ingest endpoint using only that key. Sentry returns HTTP 200 and processes the event identically to a real crash report.

The injected event contains markdown in the message field, formatted to mirror Sentry's own MCP system template exactly. A fake ## Resolution section recommends an npx command. When a developer asks their agent to "fix unresolved Sentry issues," the agent queries Sentry via MCP, receives the event, treats it as legitimate diagnostic guidance, and runs the command with the developer's own privileges. AWS keys, GitHub tokens, Kubernetes credentials, SSH agent sockets, environment variables , all present and reachable in the environments Tenet documented.

Tenet calls this the Authorized Intent Chain. Every action is authorized. EDR, WAF, IAM, VPN, and Cloudflare have nothing anomalous to flag.

The scale Tenet documented#

2,388 organizations with valid injectable DSNs were found through passive reconnaissance: Censys indexing, code search, CDN loader extraction. Seventy-one rank in the Tranco top-1 million. Confirmed targets in controlled testing included a Fortune 500 enterprise with a parent valuation around $250 billion, a $2 billion hosting infrastructure provider, a scientific computing firm, and multiple early-stage startups. A cloud security vendor appeared on the list. No sector, budget, or security tooling predicted safety.

Tenet validated the attack across four-plus families of agents, on macOS, WSL, Windows, containers, CI, and cloud. A sandboxed OpenAI Codex agent running in a CircleCI pipeline on an EC2 container was reached. The payload rode in through data the agent was asked to read, bypassing network restrictions entirely.

Why prompt-layer defenses failed#

Agents executed the payload even when system prompts explicitly instructed them to ignore untrusted data. Tenet tested this directly and documented the failure. The reason is structural: data and instruction occupy the same representation in current models. The model cannot reliably distinguish them at inference time. A more carefully worded system prompt does not change this property.

Sentry was disclosed to on June 3, 2026. Their leadership responded the same day, acknowledged the issue, and declined to fix it at the root, describing it as "technically not defensible." During the research period, Sentry activated a content filter blocking one specific payload string , addressing a single known variant while leaving the underlying injection pathway structurally unchanged. Tenet's conclusion is direct: "if the platform owner considers this class of attack 'not technically defensible' at the source, the only place left to stop it is at the agent's runtime."

The trust boundary has moved#

The shift worth naming precisely: the threat is no longer a bad actor who writes malicious code. It is a developer who approves agent-generated code that was steered by poisoned context. The developer sees a normal PR. The PR describes a plausible fix. The agent that wrote it was acting on an instruction embedded in a fake Sentry error report it had no mechanism to question.

This is why diff-only review misses the threat. Reviewing whether the code compiles, passes tests, and matches the stated task does not reveal whether the agent's context was compromised when it made decisions. The hallucinated dependency attack covers a related failure mode , packages that agents recommend without verification , but agentjacking goes further, turning the agent's tool pipeline into a command-and-control channel before a single line is written.

The key point: the context pipeline is opaque at merge time. The code it produced is not.

What defenders should configure now#

Four concrete checks worth adding before the merge gate:

• New outbound domains. Any diff that introduces a network call to a domain not present elsewhere in the codebase warrants inspection. Agentjacking payloads typically exfiltrate via npx to an attacker-controlled endpoint.
• New process.env reads or equivalent. A change that adds environment variable access without a corresponding ticket or documented requirement is a signal, not a proof , but it deserves a human eye.
• Credential-adjacent file modifications. Changes near .aws/, .npmrc, .docker/config.json, or equivalent paths on Windows and Linux deserve scrutiny regardless of how plausible the surrounding diff looks.
• MCP integration audit. List every external service the coding agent connects to via MCP. For each one: does the service accept unauthenticated writes from the public internet? Sentry is the documented example. Issue trackers, documentation systems, and observability platforms may share the same property.

Prompt hardening at the agent level is not a reliable control , the Tenet data makes this plain. Runtime sandboxing helps at the edges but did not prevent exploitation in CI environments. The durable check happens at the diff.

What this means for autonomous PR workflows#

Every PR produced by an autonomous coding agent now carries a question the PR itself cannot answer: was the context that generated it clean? Hyrax's security domain flags exactly the signals described above , new environment variable reads, outbound calls to domains absent from the rest of the codebase, credential-adjacent file modifications , and holds the merge on must-fix findings. The context pipeline that generated the code is not available at review time. The code is. That boundary is the one worth defending.

The attack documented by Tenet is not limited to Sentry. Any MCP integration that returns externally-influenced data creates the same vulnerability class. Sentry is the demonstrated entry point through June 2026. The pattern is not going away.

Hyrax is live at hyrax.dev.