The attack that hijacked Claude Code came through Sentry. Datadog, PagerDuty, and Jira have the same exposure.

Agentjacking has emerged as a significant threat to AI coding agents, as highlighted in a recent disclosure by Tenet Security. The attack involves injecting malicious instructions into error data sent through publicly exposed Sentry credentials, which are used by AI coding agents like Claude Code, Cursor, and Codex. This allows attackers to execute code with the developer’s full privileges, bypassing traditional security measures like EDR, WAF, IAM, and firewalls.

The Cloud Security Alliance quickly classified agentjacking as a systemic MCP vulnerability, highlighting the widespread impact of this attack vector. Tenet’s research identified over 2,000 organizations with publicly exposed Sentry credentials, demonstrating the scale of the potential threat. The attack is particularly concerning because it does not involve stealing credentials or breaching perimeter defenses – every step is authorized, making it difficult to detect.

To address this vulnerability, organizations running Sentry should conduct immediate audits of publicly exposed DSNs. While revoking the DSN is not a viable solution due to Sentry’s architecture, restricting what actions agents can take with the data they receive is crucial for mitigating the risk. Additionally, organizations should ensure that AI coding agents connected to Sentry or other MCP-connected data sources are not able to execute shell commands, as this opens up a blind spot in their security stack.

The emergence of agentjacking highlights a broader issue with the security of AI agents in enterprise environments. Surveys conducted in 2026 indicate that many organizations trust their AI agents more than their security controls warrant. Only a fraction of organizations apply the same security controls to AI agents as they do to human employees, leading to incidents of unauthorized tool usage and breaches.

To address these security gaps, organizations should consider implementing agent-specific runtime detection and treating every agent as a privileged insider. Mandating regular access reviews, privilege scoping, and revocation timelines for AI agents can help close the security gap and prevent attacks like agentjacking. Additionally, organizations should assess the governance perception gap within their workforce and ensure that policies are clear and understood by all employees.

By taking proactive steps to secure AI coding agents and address the governance and security gaps highlighted by the agentjacking attack, organizations can better protect their systems and data from malicious actors. The key lies in continuous monitoring, enforcement, and authorization of agent actions in real-time, ensuring that every step in the chain is closely watched to prevent unauthorized access and potential breaches.