Agentjacking Attack Hijacks Claude Code, Cursor and Codex — Indian Dev Teams Must Check Today

Agentjacking attack hijacks AI coding agents like Claude Code, Cursor and Codex through fake Sentry bug reports

A new attack called Agentjacking can silently hijack AI coding agents like Claude Code, Cursor, and OpenAI’s Codex using nothing more than a single fake bug report — no malware, no stolen passwords, no breach required. Security researchers say it works on 85% of attempts and has already exposed nearly 2,400 organisations worldwide, and Indian developer teams using these tools daily are squarely in the blast radius.

The attack was disclosed by Tenet Security, a firm that specialises in AI agent security, and independently confirmed by The Hacker News and Infosecurity Magazine. Here’s exactly how it works, who’s exposed, and what you should check right now.

How the Agentjacking Attack Actually Works

The attack starts with something every developer trusts completely: Sentry, the popular error-tracking tool used across millions of web and mobile apps. Sentry uses a public credential called a DSN (Data Source Name) that sits openly in frontend JavaScript code by design — it’s meant to be public, so apps can report crashes back to Sentry.

That’s exactly what attackers abuse. Anyone who finds a site’s DSN — through a quick JavaScript inspection or a Censys search — can POST a fake error report directly to Sentry’s ingest API. The researchers, Ron Bobrov, Barak Sternberg, and Nevo Poran, found they could craft this fake error to contain a hidden instruction disguised as a normal “Resolution” note, written in carefully formatted markdown.

Here’s where it turns dangerous. When a developer connects their AI coding agent to Sentry through the Model Context Protocol (MCP) and asks it to “fix the unresolved Sentry issues,” the agent pulls that fake error and reads the attacker’s planted instruction as legitimate debugging guidance. The agent then runs the attacker’s command — with the developer’s own system privileges, on the developer’s own machine.

No phishing email. No malicious download. No login compromise. Just a fake bug report sitting in a tool every dev team already trusts.

Diagram showing how a fake Sentry error report tricks an AI coding agent into executing malicious code

The Numbers: 85% Success Rate, 2,388 Organisations Exposed

Tenet Security tested the attack against the three most widely used AI coding agents — Claude Code, Cursor, and OpenAI’s Codex — and reported an overall success rate of roughly 85%. Using passive reconnaissance methods like JavaScript inspection and code search, researchers identified 2,388 organisations with publicly exposed, injectable Sentry DSNs, ranging from a $250 billion enterprise down to solo developers — including, notably, a cloud-security vendor.

What makes Agentjacking unusually hard to catch is that every individual step looks completely normal to traditional security tools. Sentry is being used exactly as designed. DSNs are meant to be public. The AI agent is doing exactly what it’s supposed to do — reading error data and acting on it. There’s no obvious red flag for antivirus software, firewalls, or endpoint detection to catch.

Tenet disclosed the flaw to Sentry on June 3, 2026. Sentry’s response: it added a filter blocking one specific payload pattern, but called the underlying issue “technically not defensible” at the platform level — meaning the real fix has to happen on the AI agent side, not Sentry’s.

Why This Matters for Indian Dev Teams Right Now

This is where most global coverage of Agentjacking misses the point for India. Claude Code, Cursor, and Codex have become standard tools across Indian startups, GCCs, and IT services teams in 2026 — and Sentry is one of the most widely used error-tracking platforms in Indian engineering stacks, from early-stage startups to enterprise teams at TCS, Infosys, and Wipro-scale organisations.

If your team has ever pasted a Sentry DSN into a frontend repo (which is standard practice) and your AI coding agent has MCP access to Sentry, you fit Tenet’s exposure profile exactly. This is the same trust problem we covered when Claude gained computer-control capabilities on macOS — the more autonomy you hand an agent, the more a single bad input can cost you.. There is currently no universal patch. The mitigation has to happen on your side.

What to do today:

Action Required no patch yet
01
Treat Sentry output as untrusted input
Don’t let agents auto-execute “fixes” from error reports without a human checking first.
02
Add a manual review gate
Put a human checkpoint between Sentry alerts and any agent-initiated code execution — especially npm package installs.
03
Check if your DSN is publicly exposed
Search your live site’s JavaScript for your Sentry DSN, and rotate it if your threat model needs tighter control.
04
Watch your vendor for guardrail updates
Anthropic, Cursor, and OpenAI haven’t shipped a fix yet — watch their changelogs for MCP tool-response injection patches.
Source: Tenet Security disclosure, June 2026 — verified via The Hacker News, Infosecurity Magazine

Until agent vendors ship a structural fix, the only real defence is treating every tool response your AI agent reads — not just user prompts — as a potential attack surface.

FAQs

Is my AI coding agent automatically unsafe if I use Sentry?

No. The risk only exists if your AI agent has MCP access to Sentry and is allowed to act on its output without human review. Using Sentry itself is safe — the danger is letting an agent auto-execute “fixes” from error reports unchecked.

Has Anthropic, Cursor, or OpenAI released an official patch?

Not yet. Sentry added a partial filter for one known payload pattern but called the core issue “technically not defensible” on its end. A full fix needs to come from the AI agent vendors, and none have confirmed a patch timeline as of now.

How do I check if my organisation is exposed?

Search your live site’s frontend JavaScript for a Sentry DSN string. If it’s publicly visible (which is normal/by design) and your AI coding agent has MCP access to Sentry, you fit Tenet Security’s exposure profile and should add a manual review step before any agent-initiated code execution.

Developing Story

No confirmed patch timeline yet. aitechnews.in will update this piece as Anthropic, Cursor, and OpenAI respond.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top