The Attack Surface Nobody Mapped
On June 12, 2026, Tenet Security and the Cloud Security Alliance published research on a fundamentally new attack class: agentjacking. The attack exploits the Model Context Protocol (MCP) integration between Sentry — the ubiquitous error monitoring platform — and AI coding agents including Claude Code, Cursor, and Codex. An attacker injects malicious instructions into Sentry error events using only a publicly discoverable DSN (a write-only credential). When a developer's AI coding agent retrieves those events via MCP, the agent processes the injected instructions as legitimate error context and executes attacker-controlled code.
The attack requires no authentication, no repository access, and no network compromise. The DSN — Sentry's client-side data source name — is embedded in client-facing JavaScript on production websites. Any attacker who can find the DSN can create error events containing prompt injection payloads. Tenet Security estimates 2,388 organizations are currently exposed through publicly discoverable DSNs connected to MCP-enabled development environments.
How the Kill Chain Works
Step one: the attacker discovers a Sentry DSN from a target organization's public-facing website. DSNs are routinely embedded in client-side JavaScript for browser error tracking — they are designed to be public. Step two: the attacker sends crafted error events to Sentry using the DSN. These events contain prompt injection payloads disguised as stack traces, error messages, or exception metadata. Step three: a developer using Claude Code, Cursor, or Codex with MCP-connected Sentry retrieves the error events as debugging context. The AI agent cannot distinguish the injected payload from legitimate error data and follows the attacker's instructions.
The instructions can include: reading and exfiltrating source code, modifying files to introduce backdoors, accessing environment variables and secrets, or executing arbitrary shell commands within the developer's environment. The agent acts with the developer's full permissions — file system access, git operations, terminal execution. The attacker's code runs in a trusted context that no traditional security tool monitors.
Why MCP Changes the Threat Model
The Model Context Protocol was designed to give AI agents structured access to external data sources — databases, documentation, monitoring systems, issue trackers. The security assumption was that these data sources are trusted. Agentjacking breaks that assumption. Sentry is a trusted data source that processes untrusted input from the public internet. The MCP integration creates a direct pipeline from the public internet to the AI agent's execution context, bypassing every security boundary between them.
This is the same pattern that made CVE-2026-22708 (Claude Code GitHub Action prompt injection) possible: AI tools processing untrusted input in privileged contexts. But agentjacking is structurally worse. The GitHub Action vulnerability required the attacker to open an issue on a specific repository. Agentjacking requires only a DSN that is already public by design. The attack surface is not a misconfiguration — it is the intended architecture.
The Web Framework Connection
Every website that embeds a Sentry DSN in its client-side JavaScript is potentially contributing to an agentjacking attack surface. WordPress sites with Sentry integration plugins expose their DSN in page source. React and Next.js applications using @sentry/browser embed the DSN in the JavaScript bundle. The DSN is not a secret — Sentry's own documentation says it is safe to expose publicly. But 'safe to expose' assumed the DSN could only be used to send error events, not to inject instructions into AI agents.
Modern frameworks with server-side rendering and API-first architectures can configure Sentry server-side only, never exposing the DSN to the client. FastAPI applications using the Sentry SDK server-side keep the DSN in environment variables, never in browser-visible code. Astro's static output and Hugo's zero-JavaScript builds never expose monitoring credentials to the client. The framework's architecture determines whether its Sentry integration creates an agentjacking attack surface.
What Organizations Should Do Now
Audit every Sentry DSN exposed in client-facing code. If your MCP-connected AI coding tools have access to the same Sentry project that receives client-side errors, those tools are vulnerable. Separate client-side error monitoring from the Sentry projects connected to developer AI tools. Review MCP integrations in your development environment and apply least-privilege: AI agents should not have access to projects that process untrusted external input.
Sentry's response — that the issue is 'technically not defensible' at the platform level — means the mitigation responsibility falls entirely on organizations using Sentry with MCP-connected AI tools. The tools building the web are now part of the web's attack surface. Every public DSN is a potential injection point. Every MCP integration is a potential execution path. The security perimeter now extends through the developer's AI agent to every external data source it can access.
