Agentjacking Exploits Sentry MCP to Make AI Coding Agents Run Malicious Code
Tenet Security disclosed Agentjacking, an attack that abuses public write-only Sentry DSNs and Sentry’s Model Context Protocol (MCP) integration to inject attacker-controlled error content into AI coding assistants including Claude Code and Cursor. In the reported attack chain, a forged Sentry event is returned to the agent as seemingly trusted diagnostic or remediation guidance, leading the agent to execute attacker-specified commands on a developer workstation without phishing, malware delivery, or prior compromise of the victim environment.
The researchers said they found 2,388 organizations with injectable DSNs and observed an 85% success rate in controlled testing across more than 100 organizations, including confirmed cases of real agent execution. Their proof of concept used an npm package launched via a code block command to validate access to local secrets such as environment variables, Git credentials, private repository URLs, and user identity data, then send limited metadata to a Tenet-controlled beacon server. Sentry acknowledged the issue and reportedly deployed a global content filter for a specific payload string, while Tenet argued the weakness reflects a broader architectural risk in AI agents that consume externally influenced data through MCP-like integrations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Tenet releases Agent-JackStop mitigation tool
Tenet released a mitigation tool called Agent-JackStop in response to the Agentjacking attack technique. The tool was presented alongside reporting that the broader design issue remains difficult to fully solve at the ingestion layer.
Tenet Security publicly discloses Agentjacking attack class
Tenet Security publicly disclosed a new attack class called Agentjacking that can trick AI coding agents such as Claude Code and Cursor into executing attacker-controlled code via forged Sentry error events and MCP integrations. The researchers said they found 2,388 organizations with injectable DSNs and observed high success rates in testing and confirmed real agent executions.
Sentry acknowledges issue and deploys payload-string content filter
After receiving Tenet's disclosure, Sentry acknowledged the issue and reportedly deployed a global content filter for a specific payload string rather than fully remediating the broader problem. Sentry also characterized the wider attack class as not defensible at the ingestion layer.
Tenet Security discloses Agentjacking findings to Sentry
Tenet Security disclosed its Agentjacking research to Sentry on June 3, 2026. The report described abuse of public Sentry DSNs and MCP integrations to feed attacker-controlled content to AI coding agents.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
A public Sentry key is all it takes to hijack Claude Code, Cursor, and Codex - The New Stack
thenewstack.io
Open sourceAgentjacking attack exploits AI coding tools with fake error reports | brief | SC Media
scworld.com
Open sourceNew Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From Hackers Server
cybersecuritynews.com
Open sourceAgentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Agent Session Smuggling and Code Interpreter Exploits in Enterprise AI Systems
A new attack technique called **agent session smuggling** has been identified, allowing malicious AI agents to exploit established cross-agent communication sessions to covertly inject instructions into victim agents. This method leverages the stateful nature of protocols like Agent2Agent (A2A), which are designed for persistent, context-aware conversations between AI agents. The attack does not exploit a vulnerability in the protocol itself, but rather abuses the implicit trust and memory features of stateful agent communication, enabling a rogue agent to manipulate a victim over multiple interactions. Mitigation strategies include human-in-the-loop enforcement, remote agent verification, and context-guarding mechanisms. Separately, a vulnerability in Anthropic’s Claude AI assistant was demonstrated, where attackers could exploit the code interpreter feature to exfiltrate sensitive enterprise data. By using indirect prompt injection, malicious instructions embedded in user-supplied content could trigger Claude to retrieve confidential information and upload it to attacker-controlled accounts via the platform’s own API, bypassing default network restrictions. The exploit highlights the risks of implicit trust and insufficiently restricted internal APIs in advanced AI systems, emphasizing the need for robust security controls around agent interactions and code execution features.
Mar 21, 2026
Malicious code and prompt-injection attacks targeting developers and AI-agent ecosystems
Multiple reports describe **social-engineering and supply-chain style attacks** that trick developers or AI-agent users into executing attacker-controlled instructions. North Korean operators have been linked to the **“Contagious Interview”** campaign, in which fake recruiter personas lure software developers into running “technical interview” projects that deploy malware such as **BeaverTail** and **OtterCookie** for credential theft and remote access; GitLab reported banning **131 related accounts** in 2025, with many repos using **hidden loaders** that fetched payloads from third-party services (e.g., *Vercel*) rather than hosting malware directly. Separately, OpenGuardrails reported a campaign on *ClawHub* (an OpenClaw AI agent “skills” repository) where attackers posted **malicious troubleshooting comments** containing Base64-encoded commands that download a loader from `91[.]92[.]242[.]30`, remove macOS quarantine attributes, and install **Atomic macOS (AMOS) infostealer**—a delivery method that can evade package-focused scanning because the payload is in comments, not the skill artifact. Research and incident writeups also highlight how **indirect prompt injection** and **malicious open-source packages** can compromise developer environments. NSFOCUS summarized a GitHub **MCP cross-repository data leak** scenario where attacker-injected instructions in public Issues could cause locally running AI agents to exfiltrate private repo data when agents act with broad GitHub permissions, and cited a similar hidden-command issue affecting an AI browser’s page summarization workflow. JFrog reported malicious npm packages (e.g., `eslint-verify-plugin`, `duer-js`) delivering multi-stage payloads including a **macOS RAT** (Mythic/Apfell) and a Windows infostealer, reinforcing ongoing risk from poisoned dependencies. In contrast, a DFIR case study on **CVE-2023-46604** exploitation of Apache ActiveMQ leading to **LockBit**-style ransomware, and a Medium post on recon/content-discovery techniques, are separate topics and not part of the AI-agent/developer social-engineering thread.
May 15, 2026
AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing *AI-adjacent* and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a **SmartLoader** campaign that trojanized a legitimate-looking **Model Context Protocol (MCP)** server tied to *Oura* by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed **StealC** to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (*TrustBastion*) was hosted via **Hugging Face** repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused **Atlassian Jira Cloud** email reputation and **Keitaro TDS** redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos. In parallel, research highlights emerging risks where **AI agents and AI-enabled workflows become the target or the transport layer**. Check Point demonstrated “**AI as a proxy**,” where web-enabled assistants (e.g., *Grok*, *Microsoft Copilot*) can be coerced into acting as covert **C2 relays**, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a **log-poisoning / indirect prompt-injection** weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive **OpenClaw configuration artifacts** (e.g., `openclaw.json` tokens, `device.json` keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
Mar 21, 2026