← The Wire

Top 5 · 2026-06-14 · source-backed

Agentjacking: a write-only Sentry key turns your error tracker into a remote shell

Confidence
source-backed
Sources
1
Redaction
redacted

Story

A public DSN. That's all the attacker needs. Not your credentials, not a compromised dependency, not a phishing link. The same write-only Sentry key that's sitting in your frontend bundle right now, by design, so the browser can report errors.

Tenet Security and the Cloud Security Alliance disclosed "Agentjacking" this week: malicious instructions injected into Sentry error events, which MCP-connected coding agents then dutifully retrieve and execute with your own system privileges (The Hacker News). Your agent pulls a stack trace to help you debug. The "stack trace" tells it to run a command. It runs the command. Controlled tests hit roughly 85% success across more than 100 organizations. And here's the part that should make you sit up: the chain bypasses EDR, WAF, IAM, and firewalls, because every single step is technically authorized. The agent has the permissions. The DSN is supposed to accept writes. Nothing is "exploited" in the classic sense. It's all legitimate activity, composed into something that copies your secrets out.

Sentry's response was the tell. They declined a root-cause fix and called the attack class "not defensible" at the platform level. I actually respect the honesty. They're right that you can't validate at the platform what's malicious in arbitrary user-supplied error text. But it means the defense is yours.

The principle generalizes way past Sentry, and that's why this is a top story rather than a one-vendor CVE. Any data your agent ingests from an external system is untrusted input that might be code. Error events. Web pages (see FORGE in Security, where one polluted page flips product recommendations up to 27%). Config files (see the CLAUDE.md worms, same section). This is Simon Willison's Lethal Trifecta playing out in production: an agent with access to private data, exposure to untrusted content, and the ability to act. Agentjacking is what happens when all three line up through your observability stack, the one place you'd never think to sandbox.

What to do: stop treating ingested error events as trusted. If you've wired an error-tracking MCP server into Claude Code, Cursor, or Codex, that retrieval path needs the same scrutiny as any user input boundary. Strip or sandbox tool outputs before they hit the model's action loop. And reconsider whether your debugging agent needs write-capable tools in the same context where it reads third-party data. The convenience of "the agent fixes the bug from the error report" is exactly the gadget being weaponized.


Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / What happened next

    Epic put an MCP server inside the Unreal Editor, and now Claude can drive a game engine

    Both cover Claude, Claude Code, Codex, Cursor; overlapping topics (agent, claude, code); picks up the Claude thread on 2026-06-19.

  2. Shared entities / Shared topic / Earlier coverage

    Awesome Design MD Hits 71K Stars: Your Brand System as Agent Context

    Both cover Claude, Claude Code, Codex, Cursor; overlapping topics (agent, claude, code); earlier Claude coverage from 2026-05-16.

  3. Figma Opens the Canvas to Agents: MCP Server Lets Claude Code and Cursor Create and Edit Designs Directly

    Both cover CLAUDE, Claude Code, Codex, Cursor; overlapping topics (agent, claude, code); earlier CLAUDE coverage from 2026-03-25.

  4. Shared entities / Shared topic / Earlier coverage / Tension

    The Claude Code Field Guide Hit 53,400 Stars. Here's Why That Matters.

    Both cover Claude, Claude Code, Codex, MCP; overlapping topics (agent, claude, code, command); earlier Claude coverage from 2026-05-17.

  5. Cursor 3 Ditches VS Code for Agent Orchestration. Claude Code Holds 54% Market Share at $1.2B ARR.

    Both cover CLAUDE, Claude Code, Codex, Cursor; overlapping topics (agent, claude, code, platform); earlier CLAUDE coverage from 2026-04-16.

  6. Shared entities / Shared topic / What happened next

    Agentjacking: treat every MCP tool response as untrusted user input.

    Both cover Agentjacking, Cloud Security Alliance, MCP, Sentry; overlapping topics (agent, agentjacking, error, input); picks up the Agentjacking thread on 2026-06-24.

  7. Shared entities / Shared topic / Earlier coverage / Tension

    Datadog MCP Server Hits GA

    Both cover Claude Code, Codex, Cursor, MCP; overlapping topics (agent, claude, code); earlier Claude Code coverage from 2026-03-10.

  8. Shared entities / Shared topic / Earlier coverage

    One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents

    Both cover Claude, Claude Code, Cursor, MCP; overlapping topics (agent, claude, code, same); earlier Claude coverage from 2026-06-07.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-14-agentjacking-a-write-only-sentry-key-turns-your-error-tracker-into-a-remote-shell
Labels
source-backed, canonical briefing excerpt