The important part of the agentjacking report is not that Sentry exists, or that MCP exists, or that coding agents can run shell commands. The important part is the new trust boundary it exposes. Builders are wiring agents to systems that were designed to collect messy, externally influenced data, then asking those agents to interpret the data as operational truth. In the CSA AI Safety Initiative research note, based on Tenet Security's June 2026 work, attackers can inject instructions into Sentry error events through public write-only DSNs. MCP-connected coding agents can later retrieve those events and treat the embedded text as remediation guidance. That is not a classic credential leak. It is a context supply chain problem.
Key Takeaways
- Agent builders should treat MCP tool responses as untrusted input, not as a privileged control channel.
- The reported attack uses Sentry DSNs, which are public by design, to place attacker-authored content into an error queue an agent may later inspect.
- According to the CSA note, Tenet Security reported an 85% exploitation success rate across tested coding agents in controlled testing.
- Conventional controls can miss the behavior because the agent executes ordinary developer actions using legitimate local credentials.
- The practical fix is not to avoid observability integrations, it is to add provenance, policy, confirmation, and sandboxing around agent actions.
Source Card
Agentjacking: MCP Injection Hijacks AI Coding AgentsThe note matters because it frames a concrete agent security failure mode: externally writable operational data can become an instruction stream when exposed through MCP to a coding agent. The value for builders is not the brand list, but the architectural lesson about implicit trust.
Cloud Security Alliance AI Safety Initiative

The trust boundary moved, but many builders did not notice
Before agentic coding workflows, an error tracker was mostly a human decision support tool. It collected stack traces, request context, user reports, and application metadata. A developer read the issue, decided what mattered, and typed the next command. With an MCP-connected coding agent, that same error tracker can become an input channel for an autonomous workflow. The agent may query unresolved issues, summarize likely causes, edit files, run dependency tools, and test fixes. That changes the risk model. A field that was safe enough to render in a web UI may not be safe enough to place in a model context that can influence command execution. The core builder mistake is confusing data access with action authority. If a tool can only read from Sentry, the integration may feel low risk. But if the reader is an agent that can act locally, read access becomes indirect write access to the developer machine's behavior.
| Signal | Why it matters |
|---|---|
| Public DSNs are normal in client applications | A public ingestion credential is not a secret, so builders cannot rely on secrecy to protect downstream agent context. |
| Events can contain attacker-controlled text | An agent may see that text inside a trusted tool response unless the integration labels origin and trust level. |
| MCP makes tool data easy to route into agents | Standardization increases adoption, but also makes repeated trust mistakes easier to copy across products. |
| The agent acts with developer privileges | The effective blast radius is the local workstation, repo access, cloud tokens, package credentials, and CI context. |
For agent builders, the dangerous input is not only the user prompt. It is every database row, error event, ticket, log line, and support message that can reach the model.
How the reported attack works, without the drama

- An attacker finds a Sentry DSN. The CSA note says DSNs can appear in browser JavaScript, public repositories, and internet scan results because they are meant to be embedded in client software.
- The attacker sends a crafted event to Sentry's ingest endpoint. The event looks like a normal application error from the collection layer's point of view.
- The attacker places instructions inside event fields, message text, context keys, or markdown-like diagnostic content. The trick is not malware at this stage. It is instruction placement.
- A developer asks a coding agent to investigate unresolved Sentry issues through an MCP integration. The agent receives the injected event as part of a trusted tool response.
- The agent interprets the injected text as remediation guidance. In the CSA summary of Tenet Security's tests, agents including Claude Code, Cursor, and Codex did not reliably distinguish attacker-authored event text from legitimate diagnostic material.
- The agent runs an action under the developer's own authority. The action could be a package runner command, a repository change, a diagnostic script, or any other workflow the developer has allowed the agent to perform.
- The payload can collect secrets available on the workstation. The CSA note says the proof of concept recovered environment variables, cloud credentials, source control tokens, package registry tokens, Docker credentials, Kubernetes tokens, and CI/CD secrets.
Builder note
Do not treat this as a Sentry-only issue. Sentry is the concrete path in the report because its open event ingestion model and public DSNs create a clean demonstration. The same pattern can appear anywhere an attacker can influence content that an agent later reads: issue trackers, customer support tickets, logs, analytics events, pull request comments, package metadata, chat archives, CRM notes, and internal search indexes. If an agent can both ingest that content and take privileged action, the content channel needs policy.
Why normal security controls can look away
Agentjacking is awkward for conventional security because the suspicious part happens inside interpretation. Endpoint detection may see a trusted coding tool launching a normal developer command. IAM sees valid credentials. A web application firewall does not block a public telemetry endpoint from accepting telemetry. A VPN does not help if the developer is already inside the trusted environment. Even allowlisted package registries are not a full answer if the attacker can influence which package or script the agent invokes. The failure mode is semantic: untrusted text is reclassified as trusted intent. That means builders need controls close to the agent runtime, not only perimeter systems. Useful controls include provenance metadata on tool results, taint tracking for externally sourced fields, policy checks before shell execution, and separate permission tiers for read, write, network, package installation, credential access, and destructive repository operations.
- Add origin labels to every tool result. The agent should know whether content came from a user, a vendor API, a public event ingest endpoint, a verified internal system, or a human-reviewed source.
- Strip or neutralize instruction-like text from externally writable fields before it reaches the model. Preserve the evidence for human review, but do not let it become an executable plan.
- Require explicit approval for commands that install packages, run remote scripts, read credential stores, change CI configuration, touch deployment files, or exfiltrate archives.
- Run coding agents in a sandbox with scoped credentials. If the agent needs repository access, it should not automatically inherit the developer's full cloud, registry, Kubernetes, and source control tokens.
- Log the chain from tool response to model decision to action. If a Sentry event, ticket, or log line caused a command, the audit record should show that dependency.
What is still uncertain
The CSA note describes Tenet Security's proof-of-concept research and controlled testing, not confirmed exploitation at broad scale. Builders should keep that distinction. The numbers are still serious: the note reports an 85% success rate across tested agents and at least 2,388 organizations with injectable Sentry DSNs identified by Tenet Security. But the larger lesson does not depend on those exact figures. MCP is becoming the connective tissue for agent tools. That is good for productivity and dangerous for lazy trust models. The winning pattern is not to ban integrations. It is to design agents as if every tool response might contain mixed-origin content, then decide what that content is allowed to influence. In practice, that means smaller permissions, typed tool outputs, human checkpoints for high-risk actions, and security tests that include prompt injection through tools, not just through chat.
- Cloud Security Alliance AI Safety Initiative, Agentjacking: MCP Injection Hijacks AI Coding Agents, published 2026-06-12, https://labs.cloudsecurityalliance.org/research/csa-research-note-agentjacking-mcp-sentry-injection-20260612
- The CSA note summarizes research attributed to Tenet Security and reports details including public DSN discovery, MCP-mediated event retrieval, controlled testing against coding agents, and Sentry's June 3, 2026 disclosure response.
