Tenet Security's Threat Labs just published research showing how a single fake Sentry error report hijacked the AI coding agent inside a $250 billion Fortune 100 company, then did the same thing to more than 100 other organizations across six continents. The attack, which Tenet calls Agentjacking, required no breach, no stolen credentials, and no phishing email. An attacker posts a crafted error event to Sentry using a public DSN, the same write-only credential Sentry intentionally embeds in frontend JavaScript on countless production websites. The error contains a fake "Resolution" section formatted to look exactly like Sentry's own remediation guidance. When a developer asks their coding agent to triage the bug, the agent reads that fake resolution as a trusted instruction and runs the attacker's code, with the developer's own credentials, on the developer's own machine. Tenet found 2,388 organizations exposed and confirmed agent execution at more than 100 of them, spanning finance, healthcare, government, and a cloud security vendor that should have known better.

Not a Sentry Bug. A Property of How Agents Are Built.

None of this required a clever exploit. Sentry's own engineering leadership told Tenet the flaw was "technically not defensible" and declined to fix it at the root; they added a content filter for one specific payload string and called it a day. The real problem sits underneath Sentry entirely: any AI coding agent connected through MCP treats whatever a tool returns as authoritative system output, the same way it would treat a developer's own instructions. The agent has no way to tell the difference between an error message generated by a real application crash and one an attacker typed into a public API. That's not a Sentry bug. That's how MCP-connected agents are built, full stop, and it shows up wherever an agent reads externally influenced data and acts on it.

Sandboxing and Prompt Defenses Both Failed

Tenet ran the payload against Cursor, Claude Code, and Codex; eighty-five percent of agents executed it. Sandboxing didn't help. A network-restricted CI agent running inside a CircleCI pipeline got hit anyway, because the malicious instruction rode in through data the agent was specifically asked to read, not through some open port an EDR tool would flag. Prompt-layer defenses failed too; Tenet tried telling agents explicitly, through system prompts and skills, to ignore untrusted data, and the agents executed the payload regardless. Every step in the chain is authorized by design, which means EDR, WAF, IAM, and the firewall all watch it happen and see nothing wrong.

Air-Gapped Closes the Cloud Category. It Doesn't Close This One.

This is where the sovereignty argument needs to be precise instead of convenient. Running your AI agent on hardware you own, inside a network you control, with no cloud provider sitting between your prompts and the model, closes off an entire category of exposure: nobody is harvesting your queries for training data, nobody is logging your proprietary source code on someone else's servers, and a breach of OpenAI or Anthropic's infrastructure doesn't touch you. But Agentjacking doesn't care whose GPU is doing the inference. If your local coding agent still queries a public Sentry instance over MCP, the same fake resolution gets read the same way and the same npx command runs with your developer's same credentials. Air-gapped hardware solves the cloud exfiltration problem. It does not, by itself, solve the problem of an agent that can't tell trusted data from an instruction.

The Missing Layer: Trust Gated by Origin, Not Appearance

The piece that's missing across the entire industry, ours included, is a layer that decides whether an agent is allowed to execute something based on where that something came from, not just what it looks like. Markdown formatted to resemble system output is going to keep fooling models that were trained to follow instructions wherever they find them; that is a property of how these models reason, not a configuration error anyone is going to patch away. We've been building Lamprey MAI around exactly that gap, an inference governance layer that gates trust at the architecture level instead of hoping the model behaves. It is not finished, and nobody serious should claim a governance layer "solves" prompt injection; what it can do is shrink the blast radius and put a checkpoint between an agent's decision and its execution, which is more than most stacks have today.

What to Ask Any AI Vendor Right Now

If you're a tribal government, a law firm, or a hospital system evaluating AI tooling right now, air-gapped is necessary and it is not sufficient. Ask any vendor, including us, what their agent is allowed to execute and who decided it could. Ask whether the agent treats every connected tool the same way it treats a developer typing at the keyboard, because Tenet just proved that most of them do. That single question will tell you more about a vendor's security posture than any compliance checklist they hand you. The Sentry DSN sitting in your own website's JavaScript right now is exactly the kind of public, "safe by design" credential this attack runs on; check it before someone else does. We don't have a clean answer to Agentjacking yet, and neither does anyone else. We do have hardware that keeps the rest of your exposure off someone else's cloud while the industry figures out the next layer.

Summary: Tenet Security's Agentjacking research showed a single fake Sentry error report hijacking AI coding agents at a $250B company and 100+ other organizations, with no breach or stolen credentials. The root cause is that MCP-connected agents treat tool output as trusted instructions and can't tell a real crash from an attacker's payload. Air-gapped hardware closes the cloud exfiltration category but not this one. The missing layer gates execution by where data came from, not what it looks like. Ask any vendor what their agent is allowed to execute and who decided it could.