Monday, July 6, 2026

News

Fake Sentry Bug Report Can Hijack Claude Code, Cursor, and Codex AI Agents

CodingPatryk RabaJuly 6, 2026

Researchers at Tenet Security showed that a single crafted bug report in Sentry is enough to hijack coding agents running on a developer's machine. In tests, the attack, dubbed agentjacking, succeeded 85 percent of the time, and Datadog, PagerDuty, and Jira may be exposed to similar flaws.

Contents
  1. How agentjacking works
  2. Why security systems miss it
  3. Sentry's response and the scope of the problem

One fake bug report is enough to take control of a coding agent running on a developer's machine and execute arbitrary attacker code on it. That's how a technique called agentjacking works, described by researchers at Tenet Security, who tested it against the popular tools Claude Code, Cursor, and Codex.

The attack mechanism relies on a weakness that has long worried security researchers working on AI agents - these systems don't distinguish between content they merely read and instructions they're meant to execute. Sentry, a bug-tracking tool used by more than 200,000 organizations worldwide, became in this case a gateway into development environments.

How agentjacking works

The attacker doesn't need to break any security measure or obtain a password. A publicly available Sentry DSN key, often left exposed in application code, is enough to send a crafted bug report to the system. The fake report contains a section describing a supposed fix for the problem, formatted to look like an official Sentry tip, while actually concealing commands to be executed.

When a developer asks their coding agent to fix reported bugs, the agent reads the report through the Model Context Protocol integration and treats the hidden instructions as a legitimate directive to act. It runs the specified code with the developer's own permissions, meaning access to everything the developer can access on their machine.

The only place this can be stopped is the moment the agent decides to act - Tenet Security

Why security systems miss it

The most troubling element described by the researchers is that, from the point of view of security systems, the entire chain of events looks fully authorized. Firewalls, IAM systems, EDR solutions, and VPNs have nothing to flag, because the agent is acting within permissions it genuinely holds. Even prompt instructions telling agents to ignore untrusted data failed to stop them from executing the crafted code in Tenet Security's tests.

The scale of potential damage ranges from individual developers to large organizations. The researchers note that among the exposed parties was a company valued at $250 billion and a vibe-coding startup generating $500 million in annual revenue. What can be stolen includes environment variables, AWS access keys, GitHub tokens, git login credentials, and private repository addresses, opening the door to compromising a company's entire cloud infrastructure.

Sentry's response and the scope of the problem

The vulnerability was reported to Sentry in June. The company responded that the problem is, as it put it, technically indefensible at the source, and instead of fixing the underlying cause, it only added a filter blocking one specific string used in the demonstration attack. The Cloud Security Alliance classified agentjacking as a systemic vulnerability class affecting the entire Model Context Protocol ecosystem, not just a single Sentry integration.

For development teams in Poland, who are increasingly relying on coding agents in their daily work, this is a signal that tools like Sentry, Datadog, or Jira, previously treated as trusted sources of bug information, now need to be treated as potential attack vectors. Disconnecting an agent from directly executing commands originating from external data sources, without explicit human authorization, is becoming a practical security requirement rather than merely a theoretical recommendation.

Sources: The Next Web (thenextweb.com), VentureBeat (venturebeat.com), Dark Reading (darkreading.com)

Share: