Blog Phát hành Sự cố Tài liệu Tải xuống Trạng thái Looking Glass Liên hệ kinh doanh
Mạng lưới Khả năng phục hồi Khôi phục Bảo mật Két an toàn bất biến Nhật ký kiểm toán chống giả mạo Bảng giá
Nhà phát triển
Tổng quan dành cho nhà phát triểnCLI, SDK, webhook Cơ sở hạ tầngDocker, K8s, Terraform, CI/CD. Tác nhân AIClaude Code, Codex, Cursor, Hermes, OpenClaw. Công cụ MSPDatto, NinjaOne, ConnectWise, N-able. Tiện ích mở rộng trình duyệtTự động điền, đăng nhập bằng thiết bị, trình tạo Ứng dụng di độngThuần iOS và Android Claude CodeMã thông báo theo phạm vi CodexTích hợp OpenAI CursorChế độ tác nhân Hermes AgentTác nhân Hermes của Nous Research OpenClawBộ phân giải tác nhân NhậpTừ bất kỳ trình quản lý mật khẩu nào
Tài nguyên
Blog Phát hành Sự cố Tài liệu Tải xuống Trạng thái Looking Glass Liên hệ kinh doanh
Giải pháp
Người tiêu dùng SMB Enterprise MSP
Ngôn ngữ
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Đăng nhập Miễn phí mãi mãi Bắt đầu
Security Blog

You told your agent to fix the errors. One of them was written by an attacker.

#21

June 24, 2026 · By Marketing team

← All posts

Also in: 🇺🇸 English

A fake Sentry error report tricks AI coding agents into running an attacker's code at the developer's full privilege, 85% of the time. The injection is not the catastrophe; the standing credentials a hijacked agent can reach are.

A developer opens their AI coding agent and types the most ordinary request in the world: "take a look at the unresolved Sentry errors and fix them." The agent pulls the error list through its Sentry connector, reads the top issue, follows the remediation steps written right there in the report, and runs them. Half a minute later it has executed an attacker's code on the developer's machine, with the developer's full privileges, and nobody did anything wrong.

That is Agentjacking, disclosed this month by Tenet Security, and it worked 85% of the time against the three most popular coding agents on the market: Claude Code, Cursor, and Codex [1][2].

What actually happened

First, what Sentry is: one of the most widely used error-monitoring services in software. When your app throws an error or crashes, Sentry captures it and files the report your developers triage — it sits inside a huge share of the apps you touch every day. To send it those reports, every app embeds a DSN: a client-side key that ships in your website's source on purpose, so the browser can phone errors home. Anyone can read it. And anyone holding it can POST an error event into your Sentry project.

That is the whole key to the attack. Tenet crafted a fake error event whose message field was formatted to look exactly like Sentry's own remediation guidance: tidy markdown, a "recommended fix," a command to run. They submitted it with the public DSN. Then they waited for the most natural thing a developer does — ask the agent to clear the error queue.

The agent queries Sentry through its MCP connector. The connector hands the error back as trusted system output. The agent cannot tell a real Sentry report from a forged one; they are byte-for-byte the same shape. So it does as it was told and runs the "fix," commonly an npx call to an attacker's package. From there it has everything the developer has: environment variables, Git credentials, private repository URLs, the cloud keys in ~/.aws/.

Tenet found 2,388 organizations with injectable DSNs, from independent developers up to the Fortune 100. In its controlled tests, agents actually executed the injected instructions at real companies — including, Tenet says, a $250-billion Fortune 100 tech firm whose AI agent read the fake bug report and ran Tenet's code on two of its corporate machines [1][3]. Disclosed to Sentry on June 3, the company acknowledged it the same day and declined to fix it at the root, calling the problem "technically not defensible." It shipped a content filter that blocks one specific payload string [4].

This is not Sentry being careless

Here is the uncomfortable part: nothing in that chain was a bug. The DSN is supposed to be public. The MCP server is supposed to return your error data. The agent is supposed to act on the diagnostics you asked it to fix. Every step was authorized, which is exactly why no firewall, no EDR, no system prompt caught it.

The flaw is structural, and it is not Sentry's alone. Any tool that feeds an agent text an outsider can influence — an error tracker, an issue queue, a scraped web page, a shared document — is an injection channel, and the agent treats all of it as one undifferentiated stream of instructions. Prompt injection, two years into the agent era, is still unsolved: you cannot reliably keep hostile text out of a model's reasoning. Assume you will not.

The injection isn't the catastrophe

Here is the part worth sitting with. The reason Agentjacking is a five-alarm fire is not that the agent got tricked. It is what the tricked agent could reach. It ran with the developer's full standing access: every key in the environment, every credential file on disk, the whole keyring sitting one command away.

That blast radius is not a law of nature. It is a configuration. The agent had standing access to all of it because that is how credentials are stored today — ambient, on the box, readable by whatever runs there. Strip that, and the same hijack runs into a wall.

Built for this, on purpose

A Clavitor credential never sits in the environment where the agent runs. There is no ~/.aws/credentials to read, no API key in an env var to exfiltrate, because the secret value never lands where the code executes — the agent gets the result of using a credential, not the credential itself. It can reach only the one thing it was named for, so it cannot enumerate the store to find what else is there. And the grant is scoped and revocable, so a session that starts behaving like an attacker can be cut mid-action.

Here is the honest edge: this does not stop the injection, and it does not stop a hijacked agent from running a command. Prompt injection is unsolved and we are not claiming to solve it. What changes is the payoff. The attacker's code still runs — and finds an environment with nothing standing in it worth stealing. The hijack succeeds and the heist fails.

We wrote down the rules a credential system has to keep once the agent itself can be turned against you, starting with the secret never living where the code runs, and an agent only ever reaching what it was named. Run yours down them: clavitor.ai/rules.

The lesson isn't "patch Sentry"

Sentry cannot fix this, and said so. And the next poisoned tool will not be Sentry. As long as your agents carry ambient, standing credentials, every trusted tool they read is a loaded gun, and prompt injection is the trigger you cannot lock.

You are not going to keep the malicious text out. So stop keeping the credentials within reach of the agent that reads it.

Clavitor (@clavitorai) is the credential vault built for AI agents, and against them. clavitor.ai

Sources

[1] Tenet Security — "Agentjacking: hijacking coding agents with fake Sentry errors" (85% success; 2,388 orgs; mechanism): https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/

[2] The Hacker News — "Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code": https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html

[3] The New Stack — "A public Sentry key is all it takes to hijack Claude Code, Cursor, and Codex": https://thenewstack.io/agentjacking-sentry-mcp-attack/

[4] Infosecurity Magazine — "New 'Agentjacking' Attacks Could Hijack AI Coding Agents" (Sentry's response): https://www.infosecurity-magazine.com/news/agentjacking-attacks-hijack-ai/