Agentjacking RCE: Fake Bug Reports, 85% Hit Rate, 2,388 Orgs

Tenet Security's June 9, 2026 disclosure of agentjacking was alarming. The productionized RCE variant documented in their full research is worse: a crafted Sentry error event, requiring nothing beyond a public DSN key, achieves an 85% exploitation rate against Claude Code, Cursor, and Codex, with 2,388 organizations currently exposed at zero cost to attack. No malware. No phishing. No prior server access.

What Changed Since the Original Disclosure#

The earlier agentjacking disclosure covering the poisoned Sentry vector established the mechanism. This research extends it with confirmed scale and a fully documented exfiltration chain. Tenet researchers Ron Bobrov, Barak Sternberg, and Nevo Poran published the complete findings in mid-June 2026, after controlled testing against more than 100 real organizations. The 85% success rate held across all three major coding agents. Seventy-one of the exposed organizations rank in the Tranco top-1 million. A Fortune 500 enterprise with a parent valuation around $250 billion was among the confirmed targets, as was a $2 billion hosting infrastructure provider.

The victim count is not a projection. Tenet identified 2,388 organizations with injectable DSNs through passive reconnaissance alone: Censys queries, GitHub code search, CDN JavaScript extraction. No target system was breached during discovery.

The Attack in Four Steps#

Sentry Data Source Names are write-only credentials embedded in frontend JavaScript by design. Any attacker can POST a crafted event to the ingest endpoint; Sentry returns HTTP 200 and processes it identically to a legitimate crash report.

The injected event contains a fake ## Resolution section formatted in markdown, including an npx command. When a developer asks Claude Code, Cursor, or Codex to "fix unresolved Sentry issues," the agent queries Sentry via MCP and receives the injected event. The markdown renders as structured content indistinguishable from Sentry's own system templates. The agent executes the command with the developer's full system privileges.

From there, the package probes for AWS credentials at ~/.aws/config, GitHub tokens, npm tokens at ~/.npmrc, Docker credentials at ~/.docker/config.json, and environment variables, then POSTs results to an attacker-controlled beacon server.

Why Every Perimeter Control Misses It#

Tenet calls the mechanism the "Authorized Intent Chain." The developer authorized the agent. The agent authorized the MCP connection. The MCP connection returns data from Sentry, a service the developer explicitly integrated. EDR, WAF, IAM policies, VPN, and Cloudflare have nothing anomalous to flag, because nothing anomalous is happening at any individual step.

Prompt-layer defenses failed too. Agents executed the payload even when system prompts explicitly instructed them to ignore untrusted data. Infosecurity Magazine reported Tenet's direct conclusion: "the agent's trust in MCP tool responses creates a direct pathway from injected data to code execution." That trust is architectural, not a misconfiguration.

Sentry was disclosed to on June 3, 2026, acknowledged the problem the same day, and declined to fix it at the root. Its engineering team described the issue as "technically not defensible" at the ingestion layer. A content filter blocking one specific payload string from the proof of concept is the entirety of deployed remediation.

The Broader Input Surface#

Sentry is the demonstrated entry point, not the boundary of the problem. Any MCP integration that returns data from a publicly writable endpoint creates the same vulnerability class. Issue trackers, ticketing systems, CI logs, documentation platforms , all potential vectors where attacker-controlled content can be returned to an agent as trusted tool output. The Cloud Security Alliance published a follow-up research note on June 12, 2026, mapping the attack to the MAESTRO framework and classifying it as a tool interface abuse threat at the Agent Frameworks layer.

The implication for teams running coding agents is specific: treat every external data source the agent reads as untrusted, regardless of how well-regarded the platform is. Sentry's DSN was designed to be public. That design decision predates MCP by years.

Where Code Review Fits#

The attack surface from Hyrax's position is not the injection itself but what comes after it. An agent steered by a poisoned Sentry event writes code. That code then appears in a PR, looking like a legitimate fix. The context pipeline that produced it is opaque. The diff is not.

Agent-introduced exfiltration paths have detectable signatures: new environment variable reads, outbound calls to domains absent from the rest of the codebase, credential-adjacent file modifications, new files through which secrets pass. Hyrax's security domain flags exactly these patterns across the full codebase before merge. Hyrax submits a PR with findings; the developer merges. An agent-written backdoor does not reach production because a developer trusted the agent's judgment about a fake bug report.

The immediate operational question is not whether to trust MCP integrations in theory. It is which specific integrations the coding agent uses today, whether those integrations return data from publicly writable endpoints, and what review happens at the merge boundary before agent-generated code ships.

Hyrax is live at hyrax.dev.