Agentjacking: How Fake Sentry Errors Turn MCP Telemetry into Agent Code Execution
Tenet Threat Labs showed that attacker-injected Sentry events can hijack AI coding agents through the Sentry MCP server. A public Sentry DSN lets an attacker submit a crafted error, the MCP integration returns it as diagnostic context, and Claude Code, Cursor, or Codex may execute a suggested npm command with developer or CI privileges. The control lesson: telemetry is data, not authority; MCP outputs, agent clients, tool gates, sandboxes, and egress policy all need runtime enforcement.
Threat Analysis
- The attacker writes to telemetry, not to the developer. Tenet describes an attack that starts with a public Sentry DSN. Anyone who has it can submit events, control event fields, and format a fake Sentry-looking resolution with a suggested
npxcommand. - The agent crosses from issue triage into code execution. When a developer asks an AI coding agent to investigate Sentry issues, the Sentry MCP server returns the crafted event. The agent may treat the fake resolution as trusted guidance and run the package.
- The package runs with the agent environment's authority. Tenet reported validation across Claude Code, Cursor, Codex, local machines, WSL, cloud containers, and CI. The package probed environment variables, AWS config, npm config, Docker config, Git credentials, network interfaces, and other sensitive material.
- The risk is architectural. Writable telemetry becomes trusted model context through MCP, then crosses into tool execution. Tenet reported that prompt-layer instructions did not reliably stop execution, so durable controls need to live at the MCP output boundary, client boundary, tool dispatcher, sandbox, egress layer, and credential lifecycle.
Applicable AIDEFEND Defenses (9)
npx step never reaches a shell on its own. It sits one layer earlier than the sandbox and egress controls, which contain execution after dispatch.npx or installing a package is a high-impact code-execution step. A separate validator should require evidence that the command comes from trusted project policy or human approval, bind approval to the exact command, package, and target, and fail closed otherwise..aws, .npmrc, Docker config, or SSH state.What Defenders Should Do Now
- Inventory every AI coding agent that can query Sentry or other observability systems through MCP. Record the agent product, MCP server, Sentry project, DSN exposure path, credentials available to the agent, shell access, package-install access, and network egress policy.
- Treat Sentry events as untrusted external data. Event messages, tags, breadcrumbs, context keys, user fields, and stack traces should enter the model as data-only fields with provenance, not as diagnostic instructions the agent can obey.
- Disable Sentry MCP access where it is not needed. Where it is needed, prefer read-only investigation workflows and require explicit human approval before any MCP-derived text can cause shell execution, package installation, browser navigation, file writes, or outbound network calls.
- Make package execution a high-risk action. Before an agent runs
npx,npm install, curl, shell, or generated scripts, show the exact command, package namespace, source event, repository context, and expected artifact, then bind approval to that exact plan. - Run diagnostic commands in fresh sandboxes with default-deny egress and no host secrets mounted by default. Do not expose AWS profiles, GitHub tokens, npm tokens, Docker config, SSH agents, production
.envfiles, or cloud metadata endpoints to routine agent triage. - If an agent may have executed an MCP-derived command, collect the agent transcript, shell history, package metadata, network logs, and beacon destinations. Rotate reachable Sentry auth tokens, GitHub tokens, cloud keys, npm tokens, SSH material, and any other secrets that were present in the execution environment.
Conclusion
Agentjacking turns observability data into an agent runtime trust-boundary problem. A Sentry event can help diagnosis, but it is not authority to install packages or run commands. Durable defense preserves that separation through MCP output labeling, client-side no-implicit-execution, tool authorization, sandboxing, egress control, and credential response. Some fixes belong to agent-client or MCP-server vendors; consuming teams should choose products that enforce those boundaries, proxy or self-host where they need provenance control, and apply the approval, sandbox, and egress controls they own.