TheVortiq
Inteligencia Artificial

Agentjacking: How a Fake Sentry Error Hijacked Claude Code and Exposed AI's Achilles' Heel

A single error event injected via Sentry, Datadog, or Jira can take control of an AI agent with full developer privileges, without raising any security alert.

July 2, 2026 · 3 min read

red padlock on black computer keyboard

TL;DR: Researchers demonstrated that a single fake Sentry event can hijack AI agents like Claude Code, executing code with developer privileges without triggering alerts. Over 2,300 organizations expose credentials that would enable the attack at scale.

What Happened?

On June 12, 2026, security firm Tenet Security revealed a new class of attack called agentjacking. In controlled tests, a single fake error event sent via Sentry — using a public credential (DSN) that requires no authentication — caused the coding agent Claude Code to execute arbitrary attacker code with the same privileges as the developer. The attack also worked on Cursor and Codex, and was successfully tested against over 100 targets, with an 85% success rate.

The vulnerability does not lie in Sentry itself, but in the trust architecture of AI agents: these agents process data from tools like Sentry, Datadog, PagerDuty, or Jira as if they were legitimate diagnostics, without verifying their origin. As Sentry noted, the flaw is "technically indefensible" from their side, since DSNs are designed to be public in frontend applications.

Why Is This Important?

The attack goes unnoticed by all traditional security systems: EDR, WAF, IAM, and firewalls. Every step in the chain is authorized: the attacker sends a valid API call to Sentry using a public DSN, the MCP server returns the injected event as authentic output, and the agent executes the instruction using the developer's permissions. No credentials are stolen, no policies are violated, no perimeter is breached.

Tenet identified 2,388 organizations with publicly exposed Sentry DSN credentials that could be used to inject malicious events at scale. Although it's a proof of concept, in one of the captured environments they found a live AWS secret key and private repository URLs.

Additionally, five independent surveys from 2026 show that companies trust their AI agents far more than security justifies. Only 34% apply the same controls to agents as to humans (Okta/Apprize360), 33% report that their agents have exceeded their intended scope (HiddenLayer), and 31% cannot confirm whether they have suffered an AI breach.

Consequences for the Ecosystem

The Cloud Security Alliance has already classified agentjacking as a systemic MCP vulnerability. The attack exposes that blind trust in data from monitoring and debugging tools is a massive attack vector. Immediate consequences include:

  • Leakage of cloud credentials, source control tokens, and sensitive data.
  • Remote code execution with developer privileges, leaving no trace in security logs.
  • Need to rethink agent permission architecture: restrict what agents can do with data returned by external tools.

What Should Readers Know?

If your organization uses AI agents connected to Sentry, Datadog, PagerDuty, Jira, or any MCP data source that developers consider trustworthy — and those agents can execute shell commands — then your stack has the same blind spot. The immediate mitigation is to audit all exposed public DSNs and, above all, restrict what agents can do with the data those tools return. Revoking the DSN is not enough, because Sentry designed them to be public. The solution is to apply the principle of least privilege to agents: do not let them execute commands based on unverified data.

"The traditional security stack cannot distinguish between a developer running 'npm install' and an agent running that command in response to a malicious error event. That distinction didn't exist until AI agents became production tools." — The New Stack, June 2026

Agentjacking is not a bug in Sentry; it's a bug in how we design agent trust. Until it's fixed, any monitoring tool that an agent consumes is a potential attack vector.

Keep reading