What Happened
Tenet Security disclosed a new attack class called “Agentjacking” on June 15, 2026, targeting AI coding agents that connect to the Model Context Protocol (MCP). The attack exploits a structural weakness in how Sentry, a widely used error-monitoring platform, handles event ingestion.
Every Sentry project exposes a Data Source Name (DSN) — a credential required only for write access to the error queue. DSNs are routinely embedded in client-side code, configuration files, and public repositories, making them trivially discoverable by automated scanners. An attacker who finds a DSN does not need any other credentials. By sending a specially crafted error event to Sentry’s public ingestion endpoint, the attacker causes the Sentry MCP server to deliver attacker-controlled instructions directly to the connected AI coding agent.
Tenet tested the technique against Claude Code, Cursor, and OpenAI Codex. The attack succeeded in 85% of trials. When the agent runs with elevated or default system privileges — which is standard in most local development setups — the injected commands execute with full access to the developer’s environment, source code, credentials, and network. Tenet identified at least 2,388 organizations whose Sentry DSNs are publicly accessible and injectable today. Sentry acknowledged the report and described the issue as “technically not defensible” within its current architecture.
Why This Matters for Canadian Organizations
Canadian development teams have adopted AI coding agents faster than most compliance frameworks anticipated. Claude Code and Cursor are in active use at software firms, financial institutions, and government contractors across the country. Any team using the Sentry MCP integration — or any MCP server connected to a publicly writable data source — is exposed to this class of attack.
The implications extend beyond individual workstations. An AI coding agent operating in a CI/CD pipeline with access to cloud credentials, internal APIs, or production secrets becomes a high-value pivot point once compromised. Under OSFI Guideline B-13, federally regulated financial institutions are required to identify and manage technology and cyber risks within their software supply chains. Agentjacking represents a new entry point in that chain — one targeting the agent layer rather than the source code itself. Under PIPEDA and the forthcoming amendments in Canada’s proposed AI legislation, organizations processing personal data through AI-assisted tooling carry accountability for how those tools are compromised and what data they access.
For teams in regulated sectors, the risk of an AI agent silently exfiltrating credentials or committing malicious code on behalf of an attacker — without triggering a traditional endpoint alert — creates a detection gap existing security controls were not designed to address.
What to Do
Security teams should audit all MCP server integrations in developer environments and identify which servers connect to publicly writable data sources. Sentry DSNs embedded in public repositories or client-side bundles should be rotated immediately and treated as compromised. Teams using Claude Code, Cursor, or similar agents should review agent permission scopes and apply the principle of least privilege — agents should not run with credentials that allow production access or code commits without human review. Where possible, restrict MCP server connections to internal networks and require explicit human approval for agent-initiated write operations.
Source: The Hacker News
