惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
C
Cisco Blogs
The Hacker News
The Hacker News
T
Threatpost
S
Schneier on Security
K
Kaspersky official blog
Spread Privacy
Spread Privacy
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
NISL@THU
NISL@THU
量子位
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google DeepMind News
Google DeepMind News
Security Latest
Security Latest
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News and Events Feed by Topic
爱范儿
爱范儿
P
Proofpoint News Feed
C
CERT Recently Published Vulnerability Notes
Project Zero
Project Zero
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cisco Talos Blog
Cisco Talos Blog
GbyAI
GbyAI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
T
Tenable Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Vulnerabilities – Threatpost
Forbes - Security
Forbes - Security
博客园 - 三生石上(FineUI控件)
C
Cyber Attacks, Cyber Crime and Cyber Security
N
News and Events Feed by Topic
V
V2EX
Webroot Blog
Webroot Blog
The Register - Security
The Register - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Blog — PlanetScale
Blog — PlanetScale
M
MIT News - Artificial intelligence
Scott Helme
Scott Helme
Simon Willison's Weblog
Simon Willison's Weblog
L
LangChain Blog
W
WeLiveSecurity
Cloudbric
Cloudbric

The New Stack | DevOps, Open Source, and Cloud Native News

Agentic development hinges on verification. For cloud-native software, that is a runtime problem. AI agents need infrastructure: Why Europe’s regional cloud strategy matters Transform your AI coding agent into a deterministic Java Spring expert WeAreDevelopers is coming to the US to give unsung developers a bigger voice Cleaner AI training data, fewer bugs: Sonar’s SonarSweep explained Observability overload is drowning engineers Google’s DiffusionGemma is 4x faster than its other Gemma models Fable 5: Guardrails and burn rate are annoying users, who say it’s still better than Opus 4.8 The Anthropic leader who built Claude Code says he ditched prompting — now he just writes loops. AWS can now mathematically prove your VMs are isolated Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised Databricks wants to kill the “email me a file” problem for AI agent skills Ramp bets forward deployed engineers can do what off-the-shelf finance AI can’t Git real: AI agents aren’t just for solo developers anymore Anthropic launches Claude Mythos/Fable 5, but you better try it soon This AI agent startup ditched Anthropic for DeepSeek — and says it’s saving millions When your data model is the bottleneck: lessons from Medium’s feature store How long before we stop reading the code? The tokenmaxxing party is over, and Revenium is mopping up How AI is solving the memory crunch it created Microsoft’s pitch to enterprises: Ditch Azure Repos for GitHub, despite its rocky reliability record Claude Code’s biggest upgrade yet ran 5 agents at once — here’s what happened Why Anthropic just doubled Claude Cowork limits at no charge For years, Apache Cassandra handed this work to your team — 6.0 takes it back “A dangerous combination”: The 2 factors that can “corrupt” AI agent workflows With Foundry, Microsoft bets the enterprise AI battle is about reliability, not capability Microsoft unlocks Visual Studio for developers left behind by its own AI AI teams now deploy 1,000 times a month. Your pipeline wasn’t built for that. Microsoft just made the agent runtime free — and kept everything around it “Whoever builds the most joyous product wins”: The agent war begins Netlify CTO Dana Lawson: Writing code is no longer the job From Jupyter Notebook to production: How to ship AI systems that actually work OpenClaw used Gavriel Cohen’s code and exposed the AI Agent accountability problem Replit shows how vibe coding is getting its own financial stack — and a path to profit Cloudflare aqui-hires VoidZero: Did a piece of the open web just stabilize, or become more brittle? Cursor cuts prices and adds enterprise spend controls amid “tokenomics” reckoning Google Gemma 4 12B nearly matches 26B benchmarks — and runs on your laptop Snowflake thinks it knows what’s really slowing developers down Autonomous agents have met their biggest challenge yet: The database. Why agentic AI makes the ops platform the most important layer in the enterprise How to dramatically improve enterprise security alert tuning to battle cyberattacks Why the need for humans won’t disappear in the age of autonomous databases How to secure Kubernetes in the age of AI workloads Asana says its new AI “chief of staff” turns your Slack chaos into trackable work Nvidia’s best model is now live Mate Security’s Asaf Wiener made every backend engineer a model router. He’s right to. The AI cost crisis finally has a watchdog — just not the companies causing it How to get operational data off the factory floor without creating an IT breach Why CPUs still matter in the age of AI agents Rayfin: Microsoft’s answer to the gap between vibe coding and enterprise production Microsoft bets the enterprise AI race will be won on data context, not model power “A successful attack could be catastrophic”: Anthropic gives more groups access to Claude Mythos How GitHub plans to win developers back Microsoft really, really, really wants developers to love Windows again With Intelligent Terminal, Microsoft is reinventing the Windows terminal Microsoft debuts “Scout” at Build, a new personal agent for work OpenAI’s Codex adds new tools — Sites, Annotations, more plugins — for knowledge workers GitHub Copilot’s usage-based billing is live: Here’s what you need to know OpenAI, Anthropic, Google, Amazon, and xAI all fail on type of attack, study finds JetBrains open-sources Mellum2 to go where Claude Code can’t Claude Code vs. Cursor vs. Codex vs. Antigravity — six months in This coding agent doesn’t want your feedback — it ships without it “Blowing things up”: The one move vendors got wrong on AI agents At Sapphire, SAP makes the case that enterprise AI is a context problem Gavriel Cohen found his own code inside OpenClaw, so he walked away AI retrieval at scale is becoming a systems problem, not a tooling problem The DIY platform trap that’s burning out engineering teams I tested Cursor’s new Jira integration and it’s 5 stars, no notes. Here’s why. Why GPT-5.4, Claude, and Gemini can’t agree on basic, real-world facts Replit’s vibe coding platform just got a Visa-backed identity layer for AI agents — and it changes how agents spend money Opus 4.8 Made Claude Smarter. Token Discipline Got Urgent. Why Linux creator Linus Torvalds gets angry hearing “99% of code is AI” Vendor neutrality isn’t magic: A hard look at the OpenTelemetry ecosystem “The AI did it” won’t save you when EU regulators come knocking The fix for soaring AI cloud bills exists — so why won’t we trust it? AI is shipping code faster than security was built to handle Why AWS scrapped OpenSearch’s architecture to chase agent workloads Claude Opus 4.8 is here: effort controls, dynamic workflows, cheaper fast mode, better honesty, less deception Percona celebrates 20th birthday with new foundation — and a goat cake Why OpenAI and Anthropic are hiring forward deployed engineer teams Claw-style AI agents are coming to the enterprise. The governance infrastructure is still catching up. The agentic identity crisis: Why your security isn’t ready for the AI revolution Debugging the undebuggable: building observability into probabilistic AI systems Snowflake commits $6B to AWS as it pushes deeper into AI Why MotherDuck refuses to fork DuckDB Researcher “gave Claude Code ‘ADHD’… and it thinks 2x better now.” Outside experts want more proof. “There is no accountability”: AI coding agents are installing packages no one owns “Tokenmaxxing is real, expensive & it’s spreading”: AI budgets are exploding With Google’s debut, the most important AI agent feature is now the most boring one Why AI agents need a Context Lake Google ranks the best AI for building Android apps, and the winner isn’t Gemini Google pushes Pro, Ultra, and free users from open-source Gemini CLI to closed-source Antigravity CLI The reason enterprise outages almost never start where ops teams think Taming the agentic influx: a blueprint for AI business observability How the AC/DC framework helps teams govern AI coding agents GitLab 19.0 trades its string section for a full DevSecOps orchestra Who’s monitoring the agents? How Jaeger hit 8.6× compression on 10 million spans with ClickHouse What ClickHouse learned from a year of coding with AI agents OpenClaw passed 300,000 GitHub stars. Then Google launched Spark.
A public Sentry key is all it takes to hijack Claude Code, Cursor, and Codex
http://www.facebook.com/janakiramm · 2026-06-22 · via The New Stack | DevOps, Open Source, and Cloud Native News

On June 17, the Threat Labs team at Tenet Security, an AI-agent security startup newly out of stealth, documented an attack it calls agentjacking.

The whole attack rides on a routine request to fix unresolved errors in Sentry, the error-monitoring service thousands of teams wire into their applications. And a single fake error report can turn an AI coding agent into a code-execution engine on a developer’s own machine. No malware changes hands, and no password is stolen.

And a single fake error report can turn an AI coding agent into a code-execution engine on a developer’s own machine. No malware changes hands, and no password is stolen.

Think of the attack as a forged repair note slipped into a building’s work-order system. The contractor on call trusts the system, reads the note as an instruction, and never asks who filed it. The Model Context Protocol connects coding agents to outside services the same way. The agent treats whatever those services return as guidance worth acting on.

Why the agent cannot tell data from an instruction

To understand why this works, we need to look at what a Sentry DSN was designed to do. A DSN, or Data Source Name, is a write-only credential. Sentry documents it as safe to embed in frontend JavaScript, so an application can report errors without exposing the rest of the project. By design, it is public, and the ingest endpoint asks for nothing more than the DSN itself.

That arrangement was safe while humans read the error reports. An AI agent reading the same reports turns the design decision into an opening for attackers. Anyone who finds a DSN can post a crafted event that Sentry processes like a genuine crash. The DSN turns up by inspecting a site’s JavaScript, running a Censys query, or searching GitHub code.

That arrangement was safe while humans read the error reports. An AI agent reading the same reports turns the design decision into an opening for attackers. 

The agent cannot tell the data it reads from an instruction to act. A command planted where an agent will read it, even somewhere no human would look, such as an error log, may simply run. This is a limit of the models themselves, not something a config change can fix.

The public DSN and the agent’s trust in MCP output are a lethal combination, because each is harmless alone and dangerous together. The credential lets an attacker write into the data an agent reads, and the agent supplies the privileges to act on it.

How the attack unfolds

Here is how the chain unfolds: Every step is ordinary on its own, and nothing in it looks like an exploit.

1. Find the DSN

The attacker starts by finding a target’s DSN. Sentry documents it as safe to expose, so it sits in the JavaScript of countless production sites. It surfaces through a Censys query or a GitHub code search.

2. Post a crafted event

With the DSN, the attacker sends one error event to Sentry’s ingest endpoint. No authentication beyond the DSN is required. The attacker controls the whole payload, from the message and tags to the context keys and stack trace. Sentry returns HTTP 200 and files the event alongside real crashes.

3. Disguise the command as a resolution

The crafted event carries markdown in its message and context fields. When the Sentry MCP server hands the event to an agent, the markdown renders as headings, code blocks, and a fabricated resolution section. The section matches Sentry’s own template, and inside it sits an npx command the attacker wants run.

4. Steer the agent

A developer asks the agent to fix unresolved Sentry issues. Thousands of teams make that request every day. The agent pulls the injected event through MCP and reads the fake resolution as trusted guidance. From there it is steered toward the suggested command rather than the source code.

5. Run the command

The agent runs the command with the developer’s own privileges on the developer’s own machine. In Tenet’s tests, the package came from the public npm registry and self-identified as a security scan, which kept the demonstration inside responsible-disclosure limits.

6. Reach the secrets

Once running, the package confirmed it could read environment variables, cloud configuration files, and credential stores, then signaled a Tenet-controlled server that the exposure was real. AWS keys, GitHub tokens, and git credentials were all within reach from that single foothold.

What Tenet proved at scale

Imagine a developer clearing a backlog of Sentry issues in one pass on a Friday afternoon, the routine that every step of this attack depends on. Tenet built its validation around exactly that moment and then measured how far it reached.

Tenet reported 2,388 organizations with injectable DSNs found through passive reconnaissance, of which 71 rank in the Tranco top-1M list of busiest sites. The same conditions exist in thousands of other projects that were never tested.

Claude Code, Cursor, and Codex all acted on the injected errors, and the team logged more than 100 confirmed executions across separate organizations.

Ron Bobrov, a Tenet researcher, reported an 85% success rate across the controlled validation waves. Claude Code, Cursor, and Codex all acted on the injected errors, and the team logged more than 100 confirmed executions across separate organizations. Tenet sells the agent-runtime defense it concludes is necessary. The figures are best read as their own controlled test results rather than independent measurements.

Tenet confirmed execution on a machine belonging to a developer inside a $250 billion Fortune 100 technology company, one of the largest on earth. The same campaign reached agents running in sandboxed CI pipelines, inside WSL on managed Windows machines, and behind corporate VPNs, on macOS and Windows alike.

One captured environment running Claude Code held a live AWS secret access key. It also held identifiers for other connected agents, so a single foothold opened far more than one machine. According to Tenet, the build was current, captured in early June 2026 rather than from a stale lab setup.

Inside an enterprise, the danger is everything the agent can already reach. A single injected error exposed CI/CD credentials, private repository URLs, and cloud infrastructure tokens to an attacker. Those are the same credentials a platform team spends its days protecting.

Why no security control sees it

What makes agentjacking hard to stop is that every step in it is authorized. The attacker never touches the victim’s infrastructure, the developer never approves any code, and the agent does exactly what it was asked to do. Tenet calls this the Authorized Intent Chain, and it is why EDR, WAF, IAM, VPNs, and firewalls register nothing worth flagging.

What makes agentjacking hard to stop is that every step in it is authorized… EDR, WAF, IAM, VPNs, and firewalls register nothing worth flagging.

Prompt-layer defenses did not help the agents either. The researchers said the agents ran the payload even when system prompts and skills told them to ignore untrusted data. That points to a limit in how current models handle tool output, not a setting a team can switch off.

Sentry, the model vendors, and the runtime

Once the attack works, someone still has to stop it, and that is harder than it sounds. Three layers sit between the injected error and the damage. Two are the platform that emits the data and the model vendors whose agents act on it. The third is the runtime around the agent, where each action is decided.

Sentry’s response to the disclosure is what keeps this attack open. Tenet disclosed the issue on June 3, and Sentry acknowledged it the same day. Sentry declined to fix it at the source.

The company called the attack class “technically not defensible” and pointed to middleware that model vendors run instead. It did ship a global content filter for the specific string in Tenet’s proof of concept, which stops that one payload without closing the path.

Who owns the fix

That puts the runtime in the spotlight, the layer around the agent where every action is decided. Sentry treats its open endpoint as a feature, and the model will not reliably refuse the instruction. So the fix cannot come from either of them alone.

The fight now is over who owns that fix, and how it settles will matter to teams more than the proof of concept did.

Beyond Sentry

In summary, the weakness Tenet demonstrated does not belong solely to Sentry. Any MCP integration that returns externally influenced data to an agent carries the same exposure. As more tools connect through MCP, the surface attackers can reach through trusted telemetry will widen. The prompt injection that security teams have warned about for a year now has a clear path from a publicly available credential to code execution.

If teams keep wiring agents to external services without a control that inspects what those services return, injected data will keep finding a route to execution. Tenet has open-sourced a set of drop-in configurations called agent-jackstop that harden Cursor and Claude Code against this class of injection. They give teams a concrete starting point while the larger question is argued out.

An agent that clears a Sentry backlog in seconds will also run whatever a trusted tool hands it. That makes the runtime around the agent the next real boundary in software supply chain security. Enterprises already vet third-party libraries before trusting them. Treating every MCP integration the same way is what keeps agentjacking from turning a team’s own telemetry against it.

YOUTUBE.COM/THENEWSTACK

Tech moves fast, don't miss an episode. Subscribe to our YouTube channel to stream all our podcasts, interviews, demos, and more.

Created with Sketch.