TL;DR: On June 3, 2026, Tenet Security disclosed "Agentjacking" to Sentry, with public reporting following on June 11-12, 2026. Attackers inject malicious instructions into Sentry error events using a public Sentry DSN write-only credential and any HTTP client; AI coding agents like Claude Code, Cursor, and Codex retrieve those events through the Model Context Protocol (MCP) and execute attacker-controlled commands with the developer's full system privileges. Sentry declined to fix the issue at the platform level, calling the class "technically not defensible." NC small businesses using AI coding agents now have to govern the agent itself, not just the perimeter.
Key takeaway: Agentjacking is not a Sentry vulnerability. It is a structural weakness in how AI coding agents trust any external data source they read through MCP. The defense is governance, sandboxing, and human-in-the-loop approvals on the developer endpoint - not another firewall rule.
Need a defensible AI coding agent governance policy for your NC small business? Preferred Data Corporation has helped NC SMBs govern technology risk since 1987. Call (336) 886-3282 or request an AI governance review.
What is Agentjacking and why should NC small businesses care?
Agentjacking is a new attack class disclosed by Tenet Security on June 3, 2026 and publicly reported June 11-12, 2026, in which an attacker hides malicious instructions inside data that an AI coding agent reads through the Model Context Protocol. Per The Hacker News coverage, the proof-of-concept abused a public Sentry DSN, but the same pattern works against any outside data the agent ingests - support tickets, GitHub issues, documentation pages, internal wikis. NC small businesses should care because the attack lands on the developer workstation with the developer's full privileges, which means source code, cloud credentials, signed commits, and customer data are all in scope.
Three reasons NC SMBs are exposed even if they do not write software for resale:
- Internal tools count. Plenty of NC small businesses in High Point, Greensboro, and Charlotte run an in-house developer or a contracted developer who uses Claude Code, Cursor, or Codex to maintain order portals, ERP integrations, and customer dashboards. Those endpoints are the target.
- MSPs and consultants are in scope. Per Infosecurity Magazine, any consultant who connects an AI agent to a shared error-tracking project becomes a delivery channel into every customer environment they touch.
- The vendor will not fix it. Sentry declined to patch the underlying class of issue, calling it "technically not defensible" per GBHackers' coverage. The mitigation belongs to the business using the AI agent, not the vendor.
How does the MCP-Sentry injection attack actually work?
The attacker sends a crafted error event to a public Sentry project using only a write-only DSN and any HTTP client; the event payload contains plain-text instructions written for an AI agent. Per Tenet Security's technical writeup, when a developer asks their AI coding agent to "look at recent Sentry errors and fix them," the agent pulls the event through the Model Context Protocol, reads the injected instructions as if they were legitimate error context, and executes the commands. The Cloud Security Alliance's June 12, 2026 research note confirms the attack works end-to-end with no Sentry account compromise and no privileged credential.
The four-step attack chain:
- Discover the DSN. Public Sentry DSNs are findable in mobile app bundles, public GitHub repos, and JavaScript source maps. They are write-only by design, so the attacker only needs one.
- Inject the event. The attacker posts a poisoned error event to the public DSN via curl or any HTTP client. No login, no MFA, no rate-limited identity.
- Wait for the agent. The next time a developer asks their AI coding agent to triage Sentry errors, the agent retrieves the poisoned event through MCP.
- Execute as the developer. The agent treats the instructions as work to do and runs them with the developer's filesystem, shell, git, cloud CLI, and AWS or Azure credentials.
Quotable definition: Agentjacking is a class of attack in which an adversary embeds malicious instructions inside external data that an AI coding agent reads through the Model Context Protocol, causing the agent to execute attacker-controlled commands with the developer's authenticated privileges, bypassing every traditional perimeter control.
Why do traditional security controls fail against Agentjacking?
Because every action in the chain is technically authorized. Per Tenet Security, the firm coined the phrase "Authorized Intent Chain" to describe what happens: the DSN write is authorized, the MCP read is authorized, the agent's shell command is authorized, the developer's cloud CLI call is authorized. EDR sees a developer doing developer things. WAF sees normal API traffic. IAM sees a logged-in user. Cloudflare sees a normal HTTPS POST. The firewall sees nothing unusual. None of the controls were designed to interrogate the intent embedded inside an error payload.
| Control layer | Stops phishing? | Stops malware? | Stops Agentjacking? |
|---|---|---|---|
| EDR on the endpoint | Partial | Yes | No - agent action looks normal |
| WAF in front of cloud apps | Yes | Partial | No - DSN write is legitimate |
| IAM with MFA | Yes | Partial | No - developer is already authenticated |
| VPN or zero trust network | Yes | Partial | No - agent runs inside the trust zone |
| Cloudflare or CDN | Partial | Partial | No - HTTPS POST to vendor is normal |
| Traditional supply-chain controls | Yes for packages | Yes for packages | No - the payload is data, not code |
A traditional supply-chain attack compromises a package or a build step. Agentjacking is different because the payload is data the agent treats as instructions. Per GBHackers, the only viable defenses live at the agent itself: scoped permissions, sandboxed execution, human-in-the-loop approval for shell and write operations, and a clear separation between data the agent reads and instructions the agent obeys.
What NC small businesses are most exposed to this attack class?
NC small businesses that run a developer endpoint with broad cloud access, that use an AI coding agent connected to MCP servers, and that have not separated "read external data" from "execute shell" in their agent configuration. The exposure does not require a SaaS product. It requires an AI agent and any external data feed the agent trusts.
The highest-exposure NC SMB profiles:
- NC manufacturers in the Piedmont Triad with custom shop-floor software. A maintenance developer in High Point or Winston-Salem running Claude Code on a workstation with VPN access to plant-floor controllers is a high-value target. See our Managed IT services page for endpoint hardening for manufacturers.
- NC distributors with custom ERP integrations. A solo developer in Greensboro or Charlotte connecting Cursor to a Sentry project that captures errors from the warehouse management system has the same exposure pattern as the original PoC.
- NC professional services firms running AI-augmented workflows. Law firms in Raleigh, accounting firms in Winston-Salem, and engineering firms in Charlotte that adopted Cursor or Codex for internal tooling without an acceptable-use policy are exposed.
- MSPs and consultancies that develop for multiple NC customers. Per Infosecurity Magazine, one compromised developer endpoint can fan out into every customer environment that consultant touches.
- NC defense contractors using AI coding agents. The CMMC framework treats developer endpoints as in-scope assets; an Agentjacking incident on a developer endpoint that touches CUI is a reportable event.
Worried that an AI coding agent on your team's laptops has more reach than you realized? Call (336) 886-3282 or request an AI agent exposure assessment.
What governance steps should NC SMBs take this week?
Run a five-step plan over the next two weeks. The fix is not a product purchase; it is policy, configuration, and a small set of guardrails at the developer endpoint. Per the CSA research note, defenses concentrate at the agent, not the network.
- Inventory AI coding agents (week 1, days 1-2). Identify every developer, contractor, and consultant using Claude Code, Cursor, Codex, or any other MCP-enabled coding agent. Capture which MCP servers each agent connects to.
- Inventory MCP data sources (week 1, days 2-4). For each agent, list every MCP server it reads from - Sentry, GitHub, Jira, internal docs, support ticket systems. Anything the agent can read can be poisoned.
- Require human-in-the-loop approval for shell and write operations (week 1, days 4-5). Configure every AI coding agent so the developer must explicitly approve filesystem writes, shell commands, and external network calls before the agent executes them. Auto-execute is the failure mode.
- Scope agent credentials to least privilege (week 2, days 1-3). Move the agent's cloud CLI, git, and database credentials to short-lived, scoped tokens. The developer's standing AWS access keys should not be readable by the agent.
- Publish an AI coding agent acceptable-use policy (week 2, days 3-5). Document what data sources the agent may read, what operations require human approval, what is forbidden, and what to do if a developer suspects a poisoned MCP response. Train every developer who runs an agent. Reference our Cybersecurity services for policy templates.
Key takeaway: The first action is inventory. NC SMBs cannot govern AI coding agents they do not know exist. A 30-minute conversation with every developer and contractor is the highest-ROI security step of the next 14 days.
How does Preferred Data Corporation help NC SMBs govern AI coding agents?
PDC has supported NC small businesses since 1987 and treats AI coding agent governance as the next chapter of the same endpoint and identity story we have managed for nearly four decades. We bring three things to the Agentjacking conversation:
- AI Transformation: AI tool inventory, acceptable-use policy, MCP server review, and human-in-the-loop guardrail design for NC SMBs adopting Claude Code, Cursor, Codex, and other AI coding agents. Governance is part of the rollout, not an afterthought.
- Cybersecurity services: Developer endpoint hardening, credential scoping, EDR tuning for AI agent behavior, and incident-response runbooks for suspected Agentjacking events. We help NC SMBs treat the developer workstation as a tier-one asset.
- Managed IT services: Patch management, endpoint configuration baselines, identity and access governance, and the day-to-day operational work that keeps the developer endpoint defensible. For NC manufacturers in High Point, distributors in Greensboro, and professional services firms in Charlotte and Raleigh, the managed baseline is what makes the AI agent governance program survive contact with reality.
For small business owners in High Point, the Piedmont Triad, Greensboro, Winston-Salem, Charlotte, and Raleigh, the Agentjacking disclosure is the cue to formalize AI coding agent governance now rather than after an incident. The Cybersecurity and Infrastructure Security Agency's SMB resources frame this clearly: SMBs have the same exposure as enterprises but a fraction of the staff. A trusted local partner closes the gap.
Ready to govern the AI coding agents already running on your team's laptops? Call (336) 886-3282 or book an AI agent governance review.
Frequently Asked Questions
What is Agentjacking?
Agentjacking is a class of attack disclosed by Tenet Security on June 3, 2026 in which an attacker embeds malicious instructions inside external data an AI coding agent reads through the Model Context Protocol. The agent treats the instructions as legitimate work and executes them with the developer's privileges. The proof-of-concept used a public Sentry DSN, but the pattern generalizes to any external data source the agent ingests.
Is Agentjacking a Sentry vulnerability?
No. Per The Hacker News, Sentry declined to patch the issue at the platform level, calling the class "technically not defensible." The vulnerability is in how AI coding agents trust the data they read through MCP. The same risk exists for GitHub issues, support tickets, documentation, and any other MCP-readable data source.
Does an EDR product stop Agentjacking?
No. Per Tenet Security, Agentjacking sits inside an "Authorized Intent Chain" where every step is technically allowed. EDR sees the developer's normal shell and process activity, IAM sees an authenticated user, and the WAF sees normal API traffic. The defense lives at the AI agent's permission model, not the perimeter.
What is the Model Context Protocol (MCP)?
Per the official MCP documentation, the Model Context Protocol is an open standard that lets AI agents read structured data from external systems like error trackers, source repositories, and documentation. MCP is how Claude Code, Cursor, and Codex see context beyond the local files. Agentjacking abuses this trust boundary by hiding instructions inside the data.
Which NC SMBs are most at risk?
NC small businesses that run developer endpoints with broad cloud or production access, that use Claude Code, Cursor, or Codex, and that have not configured human-in-the-loop approval for shell and write operations. NC manufacturers in the Piedmont Triad, distributors in Greensboro and Charlotte, and professional services firms in Raleigh and Winston-Salem with internal developer or contractor relationships should treat this as an active governance priority.
What is the first thing an NC SMB should do this week?
Inventory every AI coding agent in use across employees, contractors, and consultants, and inventory every MCP server those agents connect to. Without that list, no governance is possible. Once the inventory exists, the next step is to require human-in-the-loop approval for shell and write operations and to publish an AI coding agent acceptable-use policy.
Related Resources
- Cybersecurity Services for NC Small Businesses - Endpoint hardening and incident response
- AI Transformation Services for NC Businesses - AI tool governance and adoption
- Managed IT Services for NC Businesses - Developer endpoint and identity baseline
- AI Agents Inside the Perimeter: Shadow AI Governance NC 2026 - Shadow AI risk for NC SMBs
- TanStack Mini Shai-Hulud npm Supply Chain Defense NC 2026 - Developer supply-chain context
- AI Agent Security Risks: Prompt Injection NC 2026 - Prompt injection background
- Contact Preferred Data Corporation - AI coding agent governance review for NC SMBs