PERMISSION/PROTOCOL
Back to incident tracker

2026-06-08

CriticalPrimary

Agentjacking: Attackers inject malicious instructions into fake Sentry errors via public DSN, hijacking Claude Code, Cursor, and Codex with 85% success rate across 2,388 organizations

Researchers find attackers can inject fake Sentry errors to hijack Claude Code, Cursor, and Codex — 85% success rate, 2,388 exposed organizations, no credentials required.

Sentry MCPTool execution / MCPMCP prompt injection / supply chain hijackDeveloper workstations / CI/CD pipelines / cloud credentials

What happened

AI coding agents retrieved attacker-controlled Sentry error events via MCP and executed embedded shell commands with developer privileges

Why it matters

Credential exfiltration (AWS keys, GitHub tokens, npm credentials, Kubernetes tokens, CI/CD secrets) from developer machines across 2,388 organizations; 85% exploitation rate confirmed in controlled testing

Missing authorization check

No per-tool-call authorization gate between MCP-sourced external data and agent execution; agents treated Sentry event content as commands without any authority receipt

Would PP block it?

PP intercepts the resulting tool call (e.g. install an npm package) and requires a human-signed receipt before execution. An attacker who injects a fake Sentry event gets the agent to propose the action — but PP's gate fires before the shell command runs. The gap: PP cannot sanitize the upstream MCP data itself. If the organization's tool-call policy pre-approves package installs, the gate is already open.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-06-03

    Tenet Security discloses findings to Sentry; Sentry acknowledges same day and declines root-cause fix

  2. 2026-06-08

    Tenet Security publishes full research: A Fake Bug Report Hijacks Your AI Coding Agent

  3. 2026-06-12

    CSA Labs, The Hacker News, and Infosecurity Magazine publish independent coverage

  4. 2026-06-12

    Sentry deploys reactive content filter blocking specific payload strings — workaround, not a root-cause fix

  5. 2026-06-15

    Attack surface remains: 2,388 organizations still exposed; no architectural fix shipped

Technical breakdown

  • Sentry DSNs are intentionally public (embedded in frontend JS) — the ingest API accepts arbitrary payloads from anyone holding the DSN, by design.
  • The Sentry MCP server returns event data verbatim to the AI agent as trusted system output — no content boundary or instruction-data separator.
  • Markdown injection creates structurally identical Resolution sections that AI agents interpret as legitimate Sentry guidance rather than attacker-controlled content.
  • Every resulting action is authorized via the developer's own credentials — EDR, WAF, IAM, VPN, and firewalls see a legitimate developer session and do not alert.
  • Attack scales effortlessly: a single HTTP POST targets all organizations using that DSN simultaneously; no per-target effort required beyond DSN discovery.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Tool-call layer (before shell execution)
Still needs
MCP input validation and trust boundary between external-source data and agent instruction context
Receipt required for
Any shell command, package install, or credential-touching action proposed after MCP tool retrieval

PP's Tool-Call Gate can require a signed receipt before the agent executes shell commands — but cannot prevent the MCP layer from surfacing injected data as trusted input.

Related incidents and controls

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

Critical2026-06-08

CISA KEV: CVE-2026-42271 in LiteLLM — authenticated command injection via MCP test endpoints, chains to unauthenticated RCE (CVSS 10.0)

High2026-05-08

Claude Code OAuth tokens stolen via stealthy MCP man-in-the-middle hijacking

High2026-05-26

Trend Micro: Poisoned mcp/postgres Docker Image Pulled 100K+ Times — Return-to-Tool Attack Causes AI Agent to Exfiltrate Production Tokens via Approved Tools

Tool-Call Gate Why governance must be external

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop