You locked down your dependency pipeline. You audit your npm packages. Your CI/CD is hardened.
You locked down your dependency pipeline. You audit your npm packages. Your CI/CD is hardened.
Your AI coding agent still executes whatever ends up in your error logs.
Researchers at Tenet Security disclosed a new attack class this week called Agentjacking. Here is how it works: your team uses an AI coding agent — Claude Code, Cursor, or Codex — connected to Sentry for error monitoring. The agent pulls Sentry error events via MCP to help with debugging. An attacker finds your Sentry DSN — a public, write-only credential that developers routinely commit to repos or embed in frontend JavaScript — and injects a malicious instruction into the error queue. The agent retrieves it, treats it as a legitimate application error, and executes the attacker’s command with the developer’s system privileges.
No phishing. No binary download. No C2 infrastructure to detect. Just a poisoned error log.
Tenet identified 2,388 organisations with publicly exposed, injectable Sentry DSNs — including 71 in the Tranco top-1 million. Sentry acknowledged the issue after disclosure but characterised the underlying class as “not technically defensible” at the ingestion layer. As of today, no AI coding agent vendor has shipped a model-layer fix.
Three things to check now: First, inventory all Sentry DSNs used by teams running AI coding agents — if any DSN is public, rotate it and restrict it to known IP ranges. Second, review what MCP tools your agents have connected and whether they can trigger shell commands. Third, treat your observability stack — Sentry, Datadog, similar — as part of your threat model, not just your monitoring stack.
The attack surface for AI coding tools has moved from the supply chain to the agent’s data inputs. Locking down dependencies is necessary. It is no longer sufficient.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
