A public Sentry key is all it takes to hijack Claude Code, Cursor, and Codex

Security researchers demonstrated "Agent Jacking" — a single fake Sentry error delivered through a public Sentry MCP key can hijack AI coding agents (Claude Code, Cursor, OpenAI Codex) and run attacker code on a developer's own machine. The vulnerability exposes a new attack surf

The disclosure is a wake-up call for teams that have wired Sentry, Linear, Jira, or other MCP-enabled tools into their AI coding workflows without locking down which MCP servers can be reached. Attackers can inject crafted MCP responses that get interpreted by the agent as instructions — a classic indirect prompt injection, now with native code-execution consequences. Vendors are likely to ship allowlists and MCP server pinning soon; in the meantime, security teams are urged to audit every public MCP key in their codebase.