Agentjacking: How a Poisoned Sentry Error Hijacks Claude Code

Tenet Security disclosed on June 9, 2026 that a single forged Sentry error event, requiring nothing beyond a public DSN key, achieves an 85% exploitation rate against Claude Code, Cursor, and Codex. The attack does not touch the model. It poisons the context pipeline that feeds the model, and every downstream action runs with the developer's own privileges.

What Agentjacking Actually Does#

The Sentry DSN is a write-only credential embedded in frontend JavaScript by design. Any attacker can POST a crafted event to the ingest endpoint. No authentication required. Sentry returns HTTP 200 and processes the event identically to a legitimate crash report.

The injected event contains formatted markdown in the message field, including a fake ## Resolution section with an npx command. When the Sentry MCP server returns that event to a coding agent, the markdown renders as structured content indistinguishable from Sentry's own system template. The agent reads it, treats it as legitimate troubleshooting guidance, and runs the command.

From there: environment variables, AWS keys, GitHub tokens, git credentials, private repository URLs. The agent exfiltrates them with its own process, using its own privileges, producing no anomalous network traffic.

The Scale of Exposure#

Tenet found 2,388 organizations with valid injectable DSNs through passive reconnaissance: Censys indexing, code search, CDN loader extraction. Seventy-one of those rank in the Tranco top-1M. In controlled testing across more than 100 organizations, the exploitation success rate was 85%.

Confirmed targets included a Fortune 500 enterprise with a parent valuation around $250 billion, a $2 billion hosting infrastructure provider, a scientific computing firm, and early-stage startups. A cloud security vendor was among the exposed. No sector or budget predicted safety.

The attack scaled effortlessly. One crafted payload, injected once, could reach thousands of Sentry projects simultaneously.

Why Existing Controls Miss It Entirely#

Tenet calls the mechanism the "Authorized Intent Chain": every step in the attack is authorized. The agent queries a legitimate MCP tool. The MCP tool returns a real Sentry event. The agent executes the suggested command. EDR, WAF, IAM, VPN, and Cloudflare have nothing anomalous to flag.

Prompt-layer defenses also failed. Agents executed the payload even when system prompts explicitly instructed them to ignore untrusted data. This is not a misconfiguration. It reflects a fundamental property of how current models handle tool output: data and instruction occupy the same representation, and the model cannot reliably distinguish them.

Tenet disclosed to Sentry on June 3. Sentry acknowledged the problem the same day but declined to fix it at the root, describing it as "technically not defensible" and noting that model vendors run middleware against it. Sentry added a filter blocking one specific payload string, which addresses a single known variant without touching the underlying mechanism.

The Real Boundary: Code Review Before Merge#

The attack surface here is not a bad actor writing malicious code. It is a developer approving agent-generated code that was steered by poisoned context. The developer sees a PR. The PR looks like a legitimate fix. The agent that wrote it was acting on a fake Sentry error, and the fix contains an outbound call to a domain the codebase has never touched before, or a read of process.env that didn't exist in prior commits, or a new file that credentials pass through.

Those signals are detectable in the diff before the merge happens. Hyrax's security domain flags exactly this pattern: new environment variable reads, outbound calls to domains not present elsewhere in the codebase, credential-adjacent file modifications. The context pipeline that generated the code is opaque, but the code itself is not. Hyrax submits a PR with findings and holds the merge on must-fix detections, so an agent-introduced exfiltration path doesn't reach production because a developer trusted the agent.

This is the first widely-documented attack that weaponizes the boundary between coding agents and external observability tools. The lesson from the broader MCP tool poisoning research published the same week is consistent: the injection is no longer in the prompt box. It is in the tools. Any MCP integration that returns externally-influenced data creates the same vulnerability class. Sentry is the demonstrated entry point, not the boundary of the problem.

What Changes in Practice#

The immediate mitigation is to audit which MCP integrations the coding agent uses and whether those integrations return data from publicly-writable endpoints. Sentry's DSN is intentional in its public exposure. Other observability tools, issue trackers, and documentation systems may have similar properties.

Longer-term, agent-generated code requires the same adversarial review posture as code from an untrusted third party, because the context that produced it may have been compromised. Prompt hardening does not solve this. Runtime controls on what the agent can execute help at the edges. The most durable check is what happens at the merge boundary: does the code do something the codebase has never done before, and is that change explained by the stated task?

Tenet's conclusion is direct: "the only place left to stop this is at the agent's runtime, in the moment it decides to act." For code that has already been written and is awaiting merge, the only place left is the diff.

Hyrax is live at hyrax.dev.