Agentjacking: AI Coding Agents Tricked Into Running Malicious Code via Sentry Injection

TL;DR

what: Attackers inject crafted markdown into Sentry error events that AI coding agents interpret as legitimate diagnostic instructions and execute with developer privileges.

impact: Exposes Git credentials, environment variables, private repository URLs, and enables arbitrary code execution on developer machines with full user privileges while bypassing all security controls.

fix: Sentry activated a global content filter for specific payload strings but acknowledges the architectural flaw is 'technically not defensible'; organizations should audit DSN exposure and restrict AI agent MCP connections.

who: Development teams using AI coding agents (Claude Code, Cursor) with Sentry integration via Model Context Protocol are at immediate risk.