'Agentjacking' attack turns Sentry into a payload pipe for Claude Code, Cursor, and Codex
Tenet Security, out of stealth this week with $6 million in seed funding, documented a Model Context Protocol injection chain that bypassed every perimeter control in more than 100 enterprise environments tested — with 2,388 organizations exposed through public Sentry DSNs.
Tenet Security came out of stealth this week with $6 million in seed funding from a round led by Westly Group, and a research paper describing an attack the firm calls “agentjacking” that succeeded against 85% of more than 100 enterprise environments it tested. The mechanism is simple enough to be alarming: an attacker POSTs a crafted error event to a public Sentry Data Source Name, and Sentry’s MCP server faithfully relays the injected markdown to whichever AI coding agent is listening, dressed up as a real crash report.
Claude Code, Cursor, and Codex can’t tell the difference. The agent reads the “crash,” generates a remediation, and executes it with the developer’s full privileges. Tenet’s scan identified 2,388 organizations with valid injectable DSNs exposed in public surfaces. In one captured Claude Code environment, researchers Ron Bobrov, Barak Sternberg, and Nevo Poran found a live AWS secret access key sitting alongside identifiers for other connected agents.
The interesting part isn’t the payload. It’s the path.
Tenet’s report describes what it calls the “Authorized Intent Chain,” and the framing matters: the attack bypasses EDR, WAF, IAM, VPN, Cloudflare, and firewalls not by defeating them but by riding inside a workflow each of them is configured to trust. Sentry acknowledged the disclosure on June 3, declined a root-cause fix, and told the researchers the issue was “technically not defensible” at the platform level. It then shipped a global content filter blocking the specific payload string. A Cloud Security Alliance research note published June 12 observed that the filter addresses the known exploit string rather than the architectural pathway.
That distinction is the whole story. MCP was designed to make agent context legible across tools; agentjacking shows the same property makes attacker context legible too. Sternberg and Poran, both Unit 8200 alumni who previously built Cisco’s AI Defense research team, are now selling a runtime sensor that watches OS behavior, API calls, and agent reasoning, simulating actions before execution. The product implies what Sentry’s response makes explicit: the perimeter is no longer where security lives, because the agent is now the perimeter, and it trusts its inbox.
Sources
- https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
- https://thenewstack.io/agentjacking-sentry-mcp-attack/
- https://www.securityweek.com/tenet-security-emerges-from-stealth-with-6-million-seed-funding/
- https://www.infosecurity-magazine.com/news/agentjacking-attacks-hijack-ai/
- https://labs.cloudsecurityalliance.org/research/csa-research-note-agentjacking-mcp-sentry-injection-20260612/
— END —