thehackernews.com web signal

Tenet Security: Agentjacking Hits 2,388 Orgs via Sentry

anthropic cybersecurity agents coding tools ai-security prompt-injection coding-tools

Key insights

  • Tenet Security found at least 2,388 organizations with publicly injectable Sentry DSNs, requiring no attacker authentication to exploit.
  • Testing across Claude Code and Cursor showed an 85% exploitation success rate against injected Sentry errors.
  • Sentry declined to fix the underlying issue, calling it technically not defensible and shipping only a string-matching content filter.

Why this matters

The 85% exploitation success rate across Claude Code and Cursor means AI coding agent toolchains are now a proven, reliable attack surface at scale rather than a theoretical concern. Because Sentry DSNs are public write-only credentials embedded in frontend JavaScript by design, the attack requires no perimeter breach and reaches at least 2,388 confirmed organizations today. Sentry's public position that the vulnerability is technically not defensible leaves every MCP-connected external service as a potential agentjacking vector with no vendor-side fix on the horizon.

Summary

Tenet Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran have disclosed agentjacking, a new attack class that smuggles malicious instructions into Sentry error-tracking events, which AI coding agents then execute with full developer privileges. The attack exploits Sentry DSNs, described in the research as "a public, write-only credential that's embedded in websites." Any attacker can inject a crafted error event; when a developer asks Claude Code or Cursor to fix unresolved Sentry issues, the agent retrieves the payload and runs it as trusted guidance. As the researchers put it: "The attacker never touches the victim's infrastructure. The malicious instruction arrives disguised as a legitimate Resolution inside an ordinary error." Essentially: (Tenet Security, Sentry) are at the center of a silent, at-scale credential-theft loop neither side can currently close. - Tenet found at least 2,388 organizations with valid injectable Sentry DSNs. - Testing across AI coding assistants showed an 85% exploitation success rate. - Exfiltrable data includes environment variables, Git credentials, private repository URLs, and developer identities. Sentry acknowledged the issue but declined to fix it, calling it technically not defensible, and activated only a global content filter blocking a single specific payload string.

Potential risks and opportunities

Risks

  • Organizations among the 2,388 with injectable Sentry DSNs face silent exfiltration of environment variables, Git credentials, private repository URLs, and developer identities with no reliable detection path through existing EDR, WAF, IAM, VPN, or Cloudflare controls.
  • Sentry's content filter targets only a specific payload string, meaning any attacker who varies their payload format bypasses the only current mitigation, leaving the 2,388 confirmed exposed organizations without a meaningful fix.
  • The teams behind Claude Code and Cursor face immediate pressure to audit and restrict how their agents handle content from MCP-connected external services before agentjacking generalizes to other integrations beyond Sentry.

Opportunities

  • Security vendors building MCP-layer prompt-injection inspection gain a concrete, researcher-documented attack chain to anchor enterprise conversations about AI agent supply-chain risk.
  • Developer security platforms that audit third-party MCP service integrations before agent execution have a direct, quantified offering for the at least 2,388 exposed organizations Tenet identified.
  • Sentry competitors that implement write-restricted or agent-sandbox-aware DSN designs could differentiate meaningfully to security-conscious engineering teams now aware of the agentjacking vector.

What we don't know yet

  • Whether agentjacking has been observed exploited in the wild, as the Tenet disclosure covers only controlled tests against Claude Code and Cursor.
  • Whether AI coding agents beyond Claude Code and Cursor are vulnerable, since those were the only two products confirmed in the research.
  • What timeline Sentry has, if any, for a deeper architectural fix beyond the content filter blocking a single specific payload string.

Originally reported by thehackernews.com

Read the original article →

Original headline: 'Agentjacking' Attack Hijacks Claude Code, Cursor, and Codex via Fake Sentry Errors — 85% Exploitation Rate, 2,388 Organizations Exposed