"Agentjacking" — MCP injection of AI coding agents via forged Sentry error events (Tenet Security)

Tenet Security documented an MCP-injection attack class that abuses the implicit trust between AI coding agents and the Sentry error-tracking integration (The Hacker News, 2026-06-12). The attacker needs only a target's Sentry DSN — a write-only credential frequently exposed in client-side JavaScript or committed to GitHub — to publish a crafted error event embedding markdown-formatted instructions. When a developer later asks their coding agent to investigate that Sentry issue, the agent retrieves the injected event over MCP and executes the embedded instructions with the developer's own system privileges. Because every action the agent takes is one the developer nominally authorised, the technique reportedly slips past EDR, WAF, IAM and VPN controls (Tenet Security, 2026-06-12). Sentry acknowledged the disclosure but declined a root-cause fix, deploying only a content filter for a specific payload string; no CVE was assigned because the issue is an architectural trust-model gap in MCP. Maps to T1059 (agent-mediated command execution) and T1195. Defender action: audit MCP server integrations for any external service that can write content later surfaced to an agent; treat Sentry event content as untrusted, use a read-only Sentry service account/project for MCP, rotate exposed DSNs and remove them from client bundles and repos; alert when an agent tool-call chain involving Sentry events is followed by shell or filesystem writes.