The cleanest attacks are the ones that never touch the thing you defended. For two years the AI-agent security conversation has been about the tool and the server: poisoned tool descriptions, rug-pulls that swap a tool's behavior after approval, over-broad OAuth scopes, servers that leak cloud-metadata credentials. Defenders locked down the connective tissue between the model and the world. Agentjacking walks past all of it and plants its payload in the one place nobody was guarding — the data.

The attack, disclosed in June 2026 by Tenet Security, works like this. Sentry, the error-tracking service, ingests crash reports from browsers using a DSN — a Data Source Name. The DSN is a write-only credential, and it is meant to be public: it ships in the client-side JavaScript of nearly every site that uses Sentry, because that is how a user's browser reports an error. View source on a target's website, copy the DSN, and you can now POST arbitrary events into that organization's error stream. You have breached nothing. You are using the API exactly as designed.

The attacker crafts an event whose message field and context keys contain carefully formatted markdown — not a stack trace, but a set of instructions. Then they wait. Eventually a developer opens their coding agent and types something utterly ordinary: "fix the unresolved Sentry issues." The agent queries Sentry through its MCP server, and the poisoned event comes back mixed in with the real ones. The injected text steers the agent away from reading source code and toward running a "diagnostic" — in Tenet's proof of concept, npx @tenet-controlled-validation-package --diagnose. The package downloads from the public npm registry and executes with the developer's full privileges.

The DSN was never a secret that leaked. It was a public credential doing exactly its job. The vulnerability is that an agent treats an error report as a fact instead of as a message from a stranger.

The numbers make it worse#

Using only public Sentry APIs — again, breaching nothing — Tenet's researchers found 2,388 organizations with the exposure, ranging from independent developers up to the Fortune 100. In controlled testing they watched more than 100 agents act on injected errors, and reported an 85% execution rate across the most widely used assistants. Claude Code, Cursor, and Codex all retrieved the planted events and, in Tenet's account, could not tell them apart from legitimate application errors.

That last detail is the whole story. This is not a misconfiguration that a Sentry engineer can fix on a Friday. As the researchers put it, an AI agent cannot reliably distinguish the data it reads from an instruction to act. Plant a command somewhere the agent will look — even somewhere no human ever would, like an error log — and the agent may simply run it. That is a property of how these models consume context, not a bug in one server.

Sentry is the messenger, not the target#

The most important line in the coverage came from VentureBeat: the attack came through Sentry, but Datadog, PagerDuty, and Jira have the same exposure. Any system where an external party can write a record that an agent later reads as authoritative is an Agentjacking surface. A support ticket. A monitoring alert. A commit message. A calendar invite. The agentic web has spent a year wiring agents into every operational data source a company has, and quietly assumed those sources were trustworthy because humans mostly treated them that way.

This is the lethal trifecta wearing a new coat: private access, exposure to untrusted content, and the ability to act. Agentjacking just demonstrates that the "untrusted content" leg no longer has to arrive through a web page the agent browses or a document it summarizes. It can arrive through the plumbing — the observability stack you built specifically so machines could read it automatically.

What actually helps#

There is no server-side patch, so the mitigations are architectural and they live on the agent side:

The uncomfortable part is that none of these make the agent smarter about the trap. They just stop trusting it to notice one. A year into the agentic-tooling boom, that is the honest security posture: assume every input your agent reads was written by someone who wants something, and build the wall at the point of action — because the models will keep reading everything, and believing most of it.