You tell your AI agent: "fix the Sentry errors." It queries Sentry via MCP, reads a fake error with a "Resolution" section containing an npx command, and executes it with your full system privileges. No breach. No exploit. No unauthorized access. Everything legitimate. Everything devastating. This is Agentjacking — and according to Tenet Security, 85% of tested agents executed the payload.
What is Agentjacking
Agentjacking is a class of attack that hijacks AI coding agents to execute malicious commands with the developer's full system privileges. The term was coined by Tenet Security — a startup that emerged from stealth on June 17, 2026, with a $6M seed round, founded by former Cisco AI Defense members and Unit 8200 alumni (CEO Barak Sternberg, CTO Nevo Poran).
The core concept is the Authorized Intent Chain: every step of the attack is legitimate and authorized. The agent queries an MCP tool, reads data, interprets instructions, and executes actions — exactly what it was designed to do. The problem is that the data it reads can contain malicious instructions injected by an attacker, and the agent cannot distinguish legitimate guidance from a payload.
According to Tenet Security's research, 4+ agent families were hijacked: Claude Code, Cursor, Codex, and others. The 85% success rate among agents that acted on injected errors shows this is not an isolated issue — it is systemic.
The attack chain via Sentry MCP
According to Tenet Security, the attack against Sentry follows 5 stages:
DSN discovery: the attacker finds the public Sentry DSN (Data Source Name) in the website's JavaScript. The DSN is a write-only key with no authentication — anyone can post events to it.
Forged event injection: the attacker POSTs a fabricated event to ingest.sentry.io. The server returns HTTP 200 and processes the event like any real error.
Markdown injection: the forged event contains markdown that makes the error look identical to Sentry's own template — including a "Resolution" section with a malicious npx command.
Agent reads the event: the AI agent queries Sentry via MCP, reads the forged event, and cannot distinguish it from legitimate Sentry guidance.
Execution with full privileges: the agent executes the npx command with the developer's full system privileges. What gets exfiltrated: AWS keys, GitHub tokens, Kubernetes credentials, npm and Docker tokens, CI/CD secrets, SSH agent access, Sentry authentication tokens.
The numbers are alarming: 2,388 organizations with exposed and injectable DSNs. 71 of them in the top-1M Tranco ranking. Over 100 organizations in the validated controlled set. The attack surface is real and measurable.
Why nothing detects it
According to Tenet Security, every step of the attack is authorized. EDR does not flag it because there is no unauthorized code execution. WAF does not block it because the POST to Sentry is legitimate. IAM does not detect it because the agent operates with the developer's own credentials. VPN does not help because the traffic is normal. Nothing is unauthorized — and that is exactly what makes the attack invisible.
It is an Authorized Intent Chain. Prompt-layer defenses also failed: agents executed the payload even when explicitly instructed to ignore untrusted data. The semantic trust between agent and tool is broken — and traditional security tools do not operate at this layer.
Sentry is just the beginning
According to Tenet Security, any MCP-connected service where external parties contribute content has the same vulnerability. The attack surface extends far beyond Sentry:
- Issue trackers (Jira, Linear, GitHub Issues): any user can create issues with markdown that the agent reads and interprets as instructions.
- Ticketing systems: customer support tickets can contain malicious instructions that the agent executes when trying to "resolve" the ticket.
- Code review platforms: pull request comments can contain payloads that the agent executes when trying to "implement" the feedback.
- Log aggregation: injected logs can contain instructions that the agent interprets as debugging guidance.
The pattern is the same: a channel where untrusted data flows into a system that the AI agent queries via MCP. The agent does not distinguish data from instructions — and the attacker exploits exactly this ambiguity.
Sentry's response
According to Tenet Security, Sentry acknowledged the issue on June 3. They refused a root cause fix, arguing the vulnerability is "indefensible by nature." They added a content filter for one specific payload string.
The filter is trivially bypassable: just change the payload to not contain the blocked string. It is like blocking one specific phishing URL while thousands of others remain accessible. Sentry's response does not solve the fundamental problem — and it is not reasonable to expect them to solve it alone. The vulnerability is in the trust architecture between agent and tool, not in Sentry itself.
Available mitigation
According to Tenet Security, open-source mitigation is available at github.com/tenet-security/agent-jackstop — drop-in configurations for Cursor and Claude Code that block automatic execution of commands originating from untrusted data.
But real protection requires a mental model shift: the security perimeter has moved to the semantic trust between agent and tool. This means:
- MCP trust boundaries: agents should never execute shell commands originating from data read via MCP without explicit developer confirmation.
- Least privilege: agents should have access only to the MCP tools strictly necessary, with the smallest permission scope possible.
- Permission audits: regularly review which MCP tools each agent can access and what actions each tool can perform.
At Tech86, we see Agentjacking as the first concrete example of a new class of threats that will grow exponentially as more services connect via MCP. The AI agent security model needs to evolve — fast. If your team uses AI agents to code, you need to understand Agentjacking today. We can help assess and mitigate this attack surface.