Tenet Security — Agentjacking Attacks Hijack AI Coding Agents via MCP
AI relevance: AI coding agents connected to observability tools via MCP trust tool responses as authoritative — an architectural flaw that lets attackers turn any public DSN into remote code execution on developer machines.
Tenet Security's Threat Labs revealed "Agentjacking," a new attack class that exploits the intersection of Sentry's public DSN ingestion and the Sentry MCP server. The result: arbitrary code execution on developer machines with no prior breach required.
How it works
- Sentry DSNs are intentionally public credentials embedded in frontend JavaScript — Sentry documents this as safe because they are write-only.
- An attacker POSTs a crafted error event to Sentry's ingest endpoint using only the DSN. No authentication beyond that is needed.
- The injected event contains carefully formatted markdown in the message field and context keys, visually indistinguishable from Sentry's own remediation guidance.
- When a developer asks their AI coding agent to "fix unresolved Sentry issues," the agent queries Sentry via MCP and receives the malicious event as trusted system output.
- The agent cannot differentiate injected instructions from legitimate guidance and executes attacker-controlled code with the developer's full privileges.
- The researchers confirmed 85% execution success rate across Claude Code, Cursor, and Codex in controlled testing.
- They identified at least 2,388 organizations with exposed, injectable DSNs.
- The attack bypasses EDR and web application firewalls because there is no traditional malicious payload to detect — the agent itself runs the code.
Why it matters
This is an architectural problem, not a configuration mistake. AI coding agents connected to external tools via MCP treat every tool response as trusted data. When those tools ingest untrusted input from public endpoints (like Sentry DSNs), the agent becomes a vehicle for indirect prompt injection that results in remote code execution. Every MCP-connected observability, monitoring, or ticketing tool with public-facing write endpoints faces the same risk.
What to do
- Audit which MCP-connected tools in your AI agent workflows accept data from public or untrusted endpoints.
- Restrict Sentry DSN exposure where possible — embed only where necessary, monitor for DSNs in public repos.
- Implement input validation at the agent runtime layer: treat MCP tool responses as untrusted data, not instructions.
- Review agent tool allowlists and permission boundaries — apply the principle of least privilege to agent tool access.