A translucent crystal padlock with a hairline crack across its face and a translucent crystal hand slipping through its open shackle, set against a blush rose atmosphere, representing the dissolving trust boundary in AI agent integrations

The MCP Trust Boundary Doctrine: Why 2,388 Businesses Just Had Their AI Coding Agents Hijacked, And How To Audit Yours Before Monday Morning

June 21, 2026

Last week a single HTTP POST request hijacked AI coding agents at 2,388 businesses.

No malware.

No phishing.

No credential breach.

The attacker did not break a single security control.

Your firewall, your endpoint detection, your VPN, your Cloudflare WAF, and your identity layer all stayed green the entire time (yage.ai).

Welcome to Agentjacking, the most important AI security story of June 2026, and the one almost no operator is talking about over Sunday coffee.

What exactly is Agentjacking?

Tenet Security publicly disclosed Agentjacking on June 12, 2026 (Pinggy).

Tenet had privately notified Sentry on June 3 (yage.ai).

In their testing across 100+ live AI agent installations at consenting organizations, the attack succeeded 85% of the time (Canadian Cyber Security Journal).

It worked against Claude Code, Cursor, and OpenAI Codex (Canadian Cyber Security Journal).

Passive reconnaissance found 2,388 organizations with publicly injectable Sentry DSNs, 71 of which rank in the Tranco global top one million, and the victims ranged from a Fortune 500 company with a $250 billion market cap down to solo developers (yage.ai).

Here is the attack in five steps.

One. An attacker searches GitHub, the SourceGraph public index, or any modern source-code search for the phrase "sentry_dsn" inside a public repository.

Two. They craft a fake error event and POST it to the public Sentry ingest endpoint using your DSN, which is intentionally write-only and meant to be embedded in browser JavaScript (Pinggy).

Three. The fake event includes a fabricated "Resolution" block that contains an npx command, formatted in the exact markdown style Sentry's official MCP server uses for legitimate diagnostic output.

Four. Your developer says something completely normal to their AI coding agent: "fix unresolved Sentry issues." The agent calls the Sentry MCP tool, reads the injected event, and cannot distinguish attacker-authored text from a real error report from your own application (Mallory).

Five. The agent runs the injected npx command with the developer's full system privileges, exfiltrating environment variables, AWS credentials, npm tokens, Docker credentials, Git credentials, SSH key material, and any CI secrets to a beacon server the developer has never heard of (Pinggy).

No malware was installed.

No credentials were guessed.

No firewall was bypassed.

The agent did exactly what it was designed to do.

That is the new attack surface.

Why does this matter for a business that does not write code?

Because almost every 8-figure online business now has at least one AI coding agent in the toolchain even when the founder does not call them "engineers."

Your team uses Claude Code or Cursor to ship a custom GHL workflow.

Your contractor uses Codex to fix the Shopify Liquid template.

Your AI-built side project lives on a developer machine that also holds your Stripe API key, your Mailchimp token, your AWS credentials for the S3 bucket where your course videos live, and the SSH key that deploys your funnel.

Every one of those endpoints is in scope.

The mid-quarter pattern is now clear.

Microsoft disclosed AutoJack on June 18, a separate but structurally identical exploit chain that uses a planted URL to push AI agents into running arbitrary code on the host machine through the AutoGen Studio MCP WebSocket (Microsoft Security).

The Cloud Security Alliance's CISO Daily Briefing on June 20 called this class of attacks "the localhost trust boundary dissolving" (CSA Labs).

The Five Eyes joint guidance on agentic AI in May 2026 identified prompt injection, tool abuse, and uncontrolled agentic execution as the primary risk categories of this stage of AI deployment (DEV Community).

Sentry's own response is the most telling line in the story.

The company acknowledged the disclosure on the day it was filed, deployed a content filter for the specific payload string Tenet used in the proof of concept, then characterized the broader vulnerability as "technically not defensible" at the ingestion layer (Mallory).

Translation. The fix is on your side of the integration, not theirs.

How is Agentjacking different from the prompt injections I read about last year?

It is the same family of attacks, scaled and weaponized.

Last year's prompt injections required a user to copy-paste poisoned text into a chat window.

Agentjacking and AutoJack require nothing of the user except a normal request like "fix unresolved Sentry errors" or "summarize the support tickets that came in overnight."

The attacker writes content into a system your agent is configured to trust, and the agent does the work for them.

Tenet calls this the Authorized Intent Chain (yage.ai).

Every step in the attack chain is a legitimate operation performed by an authorized component.

Endpoint detection, web application firewalls, identity and access management, VPNs, and content delivery networks all go blind because there is nothing unauthorized happening from their perspective.

This is the moment the AI security model changes from "watch the perimeter" to "watch the agent's authority chain."

What is The MCP Trust Boundary Doctrine and how do I run it?

The doctrine is five questions you run before your team opens Slack on Monday morning.

Set a 30-minute block. Open a blank document. Write each question and answer it for your business.

One. What AI agents do you or your contractors run on machines that hold any of your business credentials, and which MCP servers are connected to each one?

This is the "know your blast radius" question.

Open Claude Code's settings or Cursor's MCP panel and look at the list.

If you see Sentry, Linear, Jira, Notion, Slack, GitHub Issues, Intercom, Zendesk, or any other system where someone outside your company can post content, you have an externally-writable data channel feeding your agent.

Two. Which of those MCP servers receives content from public or partially public sources?

Sentry DSNs are public by design (Pinggy).

Linear and Jira can accept external email-to-ticket conversion.

Zendesk and Intercom let any customer write into the support queue.

GitHub Issues lets any logged-in user comment on a public issue.

Every one of those is a potential Agentjacking vector for an agent that treats tool responses as trusted instructions.

Three. What is the maximum amount of damage a single rogue agent execution could cause on the machine running your agent, in dollars and recovery time?

Walk through the worst case.

If the agent executes a script with your AWS credentials, that means your S3 buckets, your IAM users, your billing.

If the agent runs npm install of a malicious package, that means your npm token can be used to publish malicious updates to your own internal packages.

If the agent commits and pushes a change to your private repository, that means your production deployment pipeline now ships the attacker's code.

Write a single number on the page.

That is your Agentjacking blast radius.

Four. What permission scopes does your agent run with, and which of those can be reduced to read-only today?

This is the highest-impact move in the entire doctrine.

In Claude Code's settings.json, the agent permissions can be scoped to specific directories, specific commands, and specific MCP servers (Pinggy).

In Cursor and Codex, you can disable the Sentry MCP integration in 30 seconds and re-enable it only for the specific window you need it.

Default-deny then approve, not default-allow then audit.

Five. Where does your agent's outbound network traffic go, and would you see if it called a domain you have never heard of?

Most operators have no answer for this question.

On macOS, install Little Snitch or LuLu and review outbound connections from node and npx for one week.

On Linux, use auditd with an execve rule for npx.

This will not prevent the injection, but it will give you a forensic record if something runs, and over time it gives your team a baseline of normal agent network behavior (Pinggy).

What is the single highest-impact action I can take in the next 30 seconds?

If you use Claude Code, Cursor, or Codex with the Sentry MCP server, and you are not actively triaging Sentry issues this weekend, disconnect that MCP server right now.

In Claude Code, remove the Sentry entry from your .claude/settings.json MCP block (Pinggy).

In Cursor, open Settings and disconnect the Sentry MCP server.

That single move takes you out of the published 2,388-organization scan list for this specific attack.

Then this week, search your public repos for "sentry.io/api" or "SENTRY_DSN" and rotate any DSN you find in Sentry project settings to invalidate the public key (Pinggy).

Add a Sentry DSN regex to your gitleaks or trufflehog secret scanning rules.

That is the floor.

TL;DR

  • Tenet Security disclosed Agentjacking publicly on June 12, 2026, after privately notifying Sentry on June 3 (Pinggy, yage.ai)
  • The attack succeeded 85% of the time across 100+ AI coding agent installations at consenting organizations, against Claude Code, Cursor, and OpenAI Codex (Canadian Cyber Security Journal)
  • 2,388 organizations have publicly injectable Sentry DSNs, 71 of them in the Tranco top one million, with victims from a $250 billion enterprise to solo developers (yage.ai)
  • Sentry called the underlying vulnerability "technically not defensible" at the ingestion layer and only filtered the specific payload string in the proof of concept (Mallory)
  • Microsoft separately disclosed AutoJack on June 18, a structurally identical exploit on the AutoGen Studio MCP WebSocket (Microsoft Security)
  • Endpoint detection, WAFs, IAM, VPNs, and CDNs are blind to this class of attack because every step in the chain is an authorized operation (yage.ai)
  • Run The MCP Trust Boundary Doctrine, a five-question audit on every AI agent in your toolchain, before Monday morning
  • 30-second move right now: disconnect the Sentry MCP server in Claude Code or Cursor if you are not actively triaging Sentry issues

FAQ

What is the difference between an MCP server and a regular API integration?

A Model Context Protocol server lets an AI agent reach into external tools, read data, and act on what it finds. Unlike a static API call, the agent is the one deciding what to do with the returned content. That is what makes externally-writable MCP data channels into a new attack surface (Mallory).

Is this only a Sentry problem?

No. Sentry was the first large-scale empirical case because public DSNs and open ingestion made the attack easy to reproduce, but the same class affects any MCP-connected service where outside parties can write content the agent will later read, including issue trackers, ticketing systems, customer support queues, code review platforms, and log aggregators (Cloud Security Alliance via Agent Mag).

If I disable the Sentry MCP server, am I safe?

Safer, not safe. The Agentjacking technique is one example of a broader class. Treat every MCP tool response as untrusted input, sandbox agent execution where possible, and apply least-privilege scopes to every agent identity (Mallory).

Can prompt-side defenses fix this?

No. Tenet specifically tested system prompts that explicitly instructed the agent to distrust external data. Agents still executed the injected commands (yage.ai). The fix is architectural, including sandboxing, least privilege, and provenance metadata on tool responses.

Does this affect my employees who use ChatGPT or Claude on the web?

It primarily affects agents with tool access on developer machines, not chat-only usage. If you or your team has Claude Code, Cursor, or Codex installed locally with MCP integrations, you are in scope. If your team only uses ChatGPT.com or Claude.ai in a browser without local agents, you are not in scope for Agentjacking specifically, though prompt injection in shared documents and websites remains a risk.

What to do this morning

Open a blank document.

Write down every person on your team or your contractor list who uses Claude Code, Cursor, or Codex.

For each person, write the MCP servers connected to their agent.

For each MCP server, write whether outside parties can post content into it.

Then run the five questions of The MCP Trust Boundary Doctrine for each combination.

If you want a calm strategic partner to run this audit on your real toolchain and ship a 90-day remediation plan that does not slow your team down, book an AI Implementation Session at go.8fig.ai/1-on-1. We will sit with your agent configurations, walk through every MCP integration, and ship you the smallest set of changes that closes your Agentjacking blast radius without breaking your developer velocity.

2,388 businesses learned this week that their AI agents can be turned against them through a free Sentry account.

Most of those businesses still do not know.

You do.

Run the audit before Monday.

Back to Blog