thehackernews.com web signal

Tenet Security: Agentjacking Hits 2,388 Orgs via Sentry

6 sources tracking this story
anthropic cybersecurity agents coding tools ai-security prompt-injection coding-tools

Key insights

  • Sentry patched only the specific payload string Tenet used in testing; the underlying DSN injection pathway is structurally unchanged.
  • The attack requires only a public Sentry DSN, discoverable from browser JavaScript or GitHub search, with no authentication or system breach needed.
  • 2,388 organizations have injectable DSNs; confirmed live victims include a Fortune 500 subsidiary, a $2B hosting provider, and a scientific computing firm.

Why this matters

Tenet Security's disclosure quantified a novel attack class requiring only a public Sentry DSN and no breach of any target system, confirmed against 100-plus live targets across Claude Code, Cursor, and Codex at an 85% exploitation rate. Sentry's response was a content filter on the specific known payload string, leaving the DSN injection pathway structurally intact, a limitation the Cloud Security Alliance explicitly maps to gaps in agentic AI governance rather than treating as a patchable flaw. The attack chain runs entirely under authorized developer credentials, rendering EDR, WAF, IAM, VPN, and Cloudflare controls blind to it by design. PSPDFKit's independent documentation of the same vector in the wild the same week confirms this is active exploitation, not a theoretical proof of concept.

Summary

Tenet Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran have disclosed agentjacking, a new attack class that smuggles malicious instructions into Sentry error-tracking events, which AI coding agents then execute with full developer privileges. The attack exploits Sentry DSNs, described in the research as "a public, write-only credential that's embedded in websites." Any attacker can inject a crafted error event; when a developer asks Claude Code or Cursor to fix unresolved Sentry issues, the agent retrieves the payload and runs it as trusted guidance. As the researchers put it: "The attacker never touches the victim's infrastructure. The malicious instruction arrives disguised as a legitimate Resolution inside an ordinary error." Essentially: (Tenet Security, Sentry) are at the center of a silent, at-scale credential-theft loop neither side can currently close. - Tenet found at least 2,388 organizations with valid injectable Sentry DSNs. - Testing across AI coding assistants showed an 85% exploitation success rate. - Exfiltrable data includes environment variables, Git credentials, private repository URLs, and developer identities. Sentry acknowledged the issue but declined to fix it, calling it technically not defensible, and activated only a global content filter blocking a single specific payload string.

Potential risks and opportunities

Risks

  • Organizations among the 2,388 with injectable Sentry DSNs face silent exfiltration of environment variables, Git credentials, private repository URLs, and developer identities with no reliable detection path through existing EDR, WAF, IAM, VPN, or Cloudflare controls.
  • Sentry's content filter targets only a specific payload string, meaning any attacker who varies their payload format bypasses the only current mitigation, leaving the 2,388 confirmed exposed organizations without a meaningful fix.
  • The teams behind Claude Code and Cursor face immediate pressure to audit and restrict how their agents handle content from MCP-connected external services before agentjacking generalizes to other integrations beyond Sentry.

Opportunities

  • Security vendors building MCP-layer prompt-injection inspection gain a concrete, researcher-documented attack chain to anchor enterprise conversations about AI agent supply-chain risk.
  • Developer security platforms that audit third-party MCP service integrations before agent execution have a direct, quantified offering for the at least 2,388 exposed organizations Tenet identified.
  • Sentry competitors that implement write-restricted or agent-sandbox-aware DSN designs could differentiate meaningfully to security-conscious engineering teams now aware of the agentjacking vector.

What we don't know yet

  • Whether agentjacking has been observed exploited in the wild, as the Tenet disclosure covers only controlled tests against Claude Code and Cursor.
  • Whether AI coding agents beyond Claude Code and Cursor are vulnerable, since those were the only two products confirmed in the research.
  • What timeline Sentry has, if any, for a deeper architectural fix beyond the content filter blocking a single specific payload string.

What others are reporting

Coverage cluster as of 8h after publish

  1. Tenet Security Read →

    Primary research source: six-step attack chain, IOCs, responsible-disclosure methodology, and raw credential exposure evidence from live targets including Fortune 500 and cloud vendors.

    AI coding agents cannot tell the difference between the data they read and an instruction to act.
  2. Cloud Security Alliance Read →

    Maps the attack to CSA MAESTRO and AICM governance controls, framing it as a systemic architectural gap requiring organizational policy rather than a vendor fix.

    The attack succeeds precisely because the agent performs authorized actions under the developer's identity.
  3. The Next Web Read →

    Centers on Sentry's refusal to fix the root cause and frames the gap between rapid enterprise agent deployment and the absence of execution controls.

    The agent is the attack surface now.
  4. Infosecurity Magazine Read →

    Frames agentjacking as a supply-chain attack surface problem and calls on security leaders to audit which external services their agents are permitted to query.

    The danger lies in this implicit trust. When an AI agent queries Sentry for unresolved errors, it receives the response and acts on it.
  5. GBHackers on Security Read →

    Stresses the Authorized Intent Chain framing and flags that cloud security vendors themselves appeared in the list of vulnerable organizations.

    Agentjacking bypasses EDR, WAF, IAM controls, VPN, Cloudflare, and firewalls entirely because every action in the attack chain is technically authorized.