Tenet Security: Agentjacking Hits 2,388 Orgs via Sentry
Key insights
- Sentry patched only the specific payload string Tenet used in testing; the underlying DSN injection pathway is structurally unchanged.
- The attack requires only a public Sentry DSN, discoverable from browser JavaScript or GitHub search, with no authentication or system breach needed.
- 2,388 organizations have injectable DSNs; confirmed live victims include a Fortune 500 subsidiary, a $2B hosting provider, and a scientific computing firm.
Why this matters
Summary
Potential risks and opportunities
Risks
- Organizations among the 2,388 with injectable Sentry DSNs face silent exfiltration of environment variables, Git credentials, private repository URLs, and developer identities with no reliable detection path through existing EDR, WAF, IAM, VPN, or Cloudflare controls.
- Sentry's content filter targets only a specific payload string, meaning any attacker who varies their payload format bypasses the only current mitigation, leaving the 2,388 confirmed exposed organizations without a meaningful fix.
- The teams behind Claude Code and Cursor face immediate pressure to audit and restrict how their agents handle content from MCP-connected external services before agentjacking generalizes to other integrations beyond Sentry.
Opportunities
- Security vendors building MCP-layer prompt-injection inspection gain a concrete, researcher-documented attack chain to anchor enterprise conversations about AI agent supply-chain risk.
- Developer security platforms that audit third-party MCP service integrations before agent execution have a direct, quantified offering for the at least 2,388 exposed organizations Tenet identified.
- Sentry competitors that implement write-restricted or agent-sandbox-aware DSN designs could differentiate meaningfully to security-conscious engineering teams now aware of the agentjacking vector.
What we don't know yet
- Whether agentjacking has been observed exploited in the wild, as the Tenet disclosure covers only controlled tests against Claude Code and Cursor.
- Whether AI coding agents beyond Claude Code and Cursor are vulnerable, since those were the only two products confirmed in the research.
- What timeline Sentry has, if any, for a deeper architectural fix beyond the content filter blocking a single specific payload string.
What others are reporting
-
Tenet Security Read →
Primary research source: six-step attack chain, IOCs, responsible-disclosure methodology, and raw credential exposure evidence from live targets including Fortune 500 and cloud vendors.
AI coding agents cannot tell the difference between the data they read and an instruction to act.
-
Cloud Security Alliance Read →
Maps the attack to CSA MAESTRO and AICM governance controls, framing it as a systemic architectural gap requiring organizational policy rather than a vendor fix.
The attack succeeds precisely because the agent performs authorized actions under the developer's identity.
-
The Next Web Read →
Centers on Sentry's refusal to fix the root cause and frames the gap between rapid enterprise agent deployment and the absence of execution controls.
The agent is the attack surface now.
-
Infosecurity Magazine Read →
Frames agentjacking as a supply-chain attack surface problem and calls on security leaders to audit which external services their agents are permitted to query.
The danger lies in this implicit trust. When an AI agent queries Sentry for unresolved errors, it receives the response and acts on it.
-
GBHackers on Security Read →
Stresses the Authorized Intent Chain framing and flags that cloud security vendors themselves appeared in the list of vulnerable organizations.
Agentjacking bypasses EDR, WAF, IAM controls, VPN, Cloudflare, and firewalls entirely because every action in the attack chain is technically authorized.
Originally reported by thehackernews.com
Read the original article →Original headline: 'Agentjacking' Attack Hijacks Claude Code, Cursor, and Codex via Fake Sentry Errors — 85% Exploitation Rate, 2,388 Organizations Exposed