Fetching from the wire…
Public story · 2026-07-13 · high
Tenet found just 15% of agents resisted the hijack, all by asking for confirmation before running an unfamiliar command.
Why now: CSA's move from a single Sentry bug to a systemic MCP warning is what's pushing this into wider security conversation now.
Agentjacking generalizes beyond Sentry's MCP integration to any MCP server relaying attacker-shaped text, per a Cloud Security Alliance note dated June 12.
That means the vulnerability isn't confined to one vendor's setup. It covers error trackers, issue trackers, PR comment threads, and browser DOM content, any pipe that carries outside text into an agent's context. Tenet tested agents connected through these servers and found only 15% resisted a hijack attempt.
Every agent that survived did the same thing. It stopped and asked for confirmation before running an unfamiliar npx command sourced from a tool's output rather than the user. The other 85% treated that tool-sourced text as a trusted instruction and ran whatever resolution steps the injected content suggested.
CSA's guidance is blunt. Treat every MCP tool output as untrusted input, the same scrutiny you'd give an unsolicited message from a stranger. Never auto-execute resolution steps sourced from outside data, the note says.
This is an MCP architecture problem, not a Sentry bug, and the only defense that worked was making agents pause before they act. Teams letting agents auto-run whatever a connected tool tells them are betting against odds CSA put a number on: 85% failure.
CSA's move from a single Sentry bug to a systemic MCP warning is what's pushing this into wider security conversation now.
Each link below shares sources, entities, or timing with this story.
Claude Code uses MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Claude Code uses MCP); both cover Agentjacking, MCP, Sentry; overlapping topics (agent, agentjacking, command, data).
Linked by a graph relationship (Claude Code uses MCP); both cover MCP, Never; overlapping topics (agent, comment).
Anthropic released MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Anthropic released MCP); both cover MCP, Never; overlapping topics (agent, tool).
OpenAI supports MCP / Shared entity: MCP / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (OpenAI supports MCP); both cover MCP; overlapping topics (agent, browser, tool).
Claude Code uses MCP / Shared entity: Never / Shared topic / Earlier coverage
Linked by a graph relationship (Claude Code uses MCP); both cover Never; overlapping topics (agent, asked, attacker, command).
Claude Code uses MCP / Shared entity: MCP / Shared topic / Earlier coverage
Linked by a graph relationship (Claude Code uses MCP); both cover MCP; overlapping topics (agent, browser, data, tool).
Claude Code uses MCP / Shared entity: MCP / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Claude Code uses MCP); both cover MCP; overlapping topics (agent, data).
Linked by a graph relationship (Claude Code uses MCP); both cover MCP; overlapping topics (agent, browser).