As AI coding agents become more prevalent, a new “Agentjacking” attack exploiting Sentry’s MCP server has been discovered. Attackers can inject fake error events using only a public DSN, tricking the agent into executing malicious code. CSA Labs research shows an 85% success rate, impacting over 2,388 organizations.
📑Table of Contents
Overview and Background of Agentjacking Attacks
The adoption of MCP (Model Context Protocol) for AI agents to integrate with external services has exposed new attack surfaces. Tenet Security’s investigation revealed that Sentry’s MCP server allows fake error injection via public DSNs. Attackers require no special privileges—just an HTTP POST—to send fake errors to Sentry, which agents then trust and execute malicious commands from. In my experience operating agents, I have often questioned the provenance of MCP-sourced errors before acting on them.
Attack Success Rate and Impact Scope
According to the official CSA Labs report, all tested agents achieved an 85% exploitation success rate. 71 injectable DSNs were found among Tranco’s top 1M sites, putting at least 2,388 organizations at risk. The attack completely bypasses EDR, WAF, and IAM because it runs under the developer’s own authenticated session. Agentjacking exemplifies data-source injection attacks enabled by the new MCP integration model.
Detailed 6-Stage Attack Chain
The attack proceeds in six stages: 1. Discovery of public Sentry DSN (from JS bundles, GitHub repos, Censys scans). 2. Injection of crafted error events via HTTP POST (write-only DSN suffices). 3. Embedding Markdown payload mimicking Sentry diagnostic templates. 4. Agent retrieves the error via MCP with no provenance verification. 5. Agent executes attacker-specified malicious commands (e.g., npx @attacker/package). 6. Exfiltration of secrets such as AWS, GCP, GitHub tokens. In practice, I have seen cases where MCP-provided error context nearly triggered unintended commands.
Why Existing Security Controls Fail (Comparison Table)
| Control | Typical Malware | Agentjacking Attack | Bypass Reason |
|---|---|---|---|
| EDR | Process monitoring & anomaly detection | Legitimate developer-privileged command execution | Recognized as trusted process |
| WAF/IAM | Block unauthorized access | Authenticated developer identity | Inside authenticated session |
| VPN/Network | Restrict external traffic | Agent runs locally | Independent of cloud metadata |
| Code Review | Manual inspection | Immediate automated execution | No human intervention |
Source: CSA Labs Tenet Security research (June 2026)
Actionable Mitigations
Disable Sentry MCP integration or mandate human approval for any MCP-sourced actions. Run agents inside container sandboxes that block cloud metadata endpoints. Rotate DSNs regularly and introduce server-side relays. Maintain an inventory of all MCP data sources and pin versions. Force confirmation prompts for any install commands. In my team’s real deployment, we measured the operational overhead before and after introducing these controls.
FAQ on Agentjacking Attacks
Summary and Recommended Next Steps
Agentjacking demonstrates the data-source injection threat introduced by MCP integrations. Developers using AI agents daily should immediately review their Sentry DSN exposure and implement approval workflows for MCP commands. See the official CSA Labs report for full details. Related reading: “What are AI Agents? Capabilities and Recommended Basic Tools”.
Related articles: Databricks、AI Agent向けメタハーネス「Omnigent」をオープンソース公開 — Claude Code / Codex横断でmulti-agent制御、DynatraceがAI Coding Agent監視を拡張:Claude Code・Gemini CLI・Codex CLIをOpenTelemetryで可視化。
Author
krona23
Over 20 years in the IT industry, serving as Division Head and CTO at multiple companies running large-scale web services in Japan. Experienced across Windows, iOS, Android, and web development. Currently focused on AI-native transformation. At DevGENT, sharing practical guides on AI code editors, automation tools, and LLMs in three languages.
Leave a Reply