A single fake error report hijacked Claude Code in controlled testing, executing attacker code with full developer privileges while no alerts fired. EDR, WAF, IAM, and firewall systems missed it entirely. This is the finding from Tenet Security's June disclosure of an attack dubbed "agentjacking." The vulnerability exploits Sentry's public credentials, designed for frontend error reporting, to inject malicious instructions into error data that AI agents like Claude Code, Cursor, and Codex execute as trusted diagnostic output.
Fake Sentry error compromised Claude Code in controlled tests
Tenet Security tested over 100 targets in controlled conditions, achieving an 85% success rate. Sentry called the flaw "technically not defensible." The Cloud Security Alliance classified agentjacking as a systemic MCP vulnerability within days. No credentials were stolen, no policy violated, no perimeter breached: every step was authorized. Tenet identified 2,388 organizations with publicly exposed Sentry credentials potentially usable for mass injection. One captured Claude Code environment held a live AWS secret access key and private repository URLs.
Sponsored Protocol
Why the attack is invisible to EDR, WAF, and firewalls
Agentjacking works because each step is authorized: the attacker sends a valid Sentry API call using a public DSN, the MCP server returns the injected event as authentic output, and the agent executes the instruction using developer privileges. No alert fires. The victim sees only benign diagnostics while the agent silently exposes cloud credentials and source control tokens. SOC teams have never needed to distinguish a developer running npm install from an agent running that command in response to a malicious error. That distinction did not exist until AI coding agents became production tools.
The runtime security gap: insights from CrowdStrike and other experts
Elia Zaitsev, CTO of CrowdStrike, told VentureBeat: "Securing agents looks very similar to securing highly privileged users. They have identities, access to underlying systems, they reason, they take action." Zaitsev highlighted the gap: "No one has been talking about securing agents at runtime. What is your safety net? If all these controls fail, how do you prevent them from failing silently?" CrowdStrike launched Continuous Identity for AI Agents, authorizing every agent action in real time. Kayne McGladrey, IEEE Senior Member, described the structural challenge: "The CISO doesn't have the budget or staff. We can observe risks, but we don't own the business systems." Assaf Keren, CSO of Qualtrics, added: "The real risk starts not with AI implementation but with poorly architected baselines."
Sponsored Protocol
The five-question gap test for enterprise vulnerabilities
Five independent surveys show enterprises trust AI agents far more than justified. Only 34% apply the same security controls to AI agents as to humans, per an Okta/Apprize360 survey. 52% of employees use unapproved AI tools. 33% of IT leaders report agents already exceeded scope. A five-question gap test helps assess weaknesses: agent inventory, controls parity, scope drift, governance perception gap, and breach detection certainty. For instance, only 14.4% of agents go live with full security approval. Organizations must commission a full agent and MCP connection census, mandate access reviews for every production agent, and require agent-specific runtime detection as a procurement prerequisite.
Sponsored Protocol
Agentjacking has stripped away an assumption that survived every security architecture since the first firewall: authorized does not mean safe. Every legitimate step in the chain can be exploited. The defense that matters is the one watching what agents do, not what policies say. For more on securing digital identities, read our article on JWT Authentication in Node.js. For context on legal protections for digital data, see the Supreme Court ruling on location history. For the original source, refer to the VentureBeat article.
