Research by Tenet Security demonstrates how a single error event can lead to arbitrary code execution on a developer's host. The issue arises at the intersection of Sentry's architecture and AI agents. Sentry accepts untrusted input and then, via the MCP server, passes it to agents as trusted output.

An attacker only needs to send a specially crafted event to Sentry using a public DSN, which is often exposed in the source code of web applications. Malicious instructions are disguised as troubleshooting recommendations and become indistinguishable from legitimate ones. As a result, tools like Claude Code and Cursor interpret them as valid actions and may execute attacker-controlled npm packages, opening the door to development environment compromise and sensitive data exfiltration.

📎 Article: https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/

New Agentjacking Attack Targeting AI Agents