- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
AI Threat Feed 08: AGENTJACKING — The Agent Can't Tell Data From Instructions
he Model Context Protocol's trust model is the attack surface — and how a public Sentry DSN, a credential nobody thought to protect, became a remote code execution vector against AI coding agents that bypasses every security control in your stack.
Tenet Security Threat Labs published Agentjacking on June 9, 2026. The attack chain: find a public Sentry DSN in website JavaScript, POST a crafted error event with an npm command disguised as a markdown resolution, and wait. When a developer asks their AI coding agent to "fix unresolved Sentry issues" — a normal daily workflow — the agent queries Sentry via MCP, reads the injected event as authoritative system output, and executes the command. Claude Code, Cursor, and Codex were all confirmed vulnerable. 2,388 organizations had injectable DSNs. 85% exploitation success rate. Over 100 confirmed agent executions.
This is not a prompt injection attack. It is a data trust attack. The agent cannot tell the difference between the data it reads and an instruction to act. Every action the agent takes is authorized — the attacker never touches victim infrastructure, never deploys malware, never triggers a single detection rule. EDR, WAF, IAM, VPN, Cloudflare, and firewalls are all irrelevant. The observability data you depend on became the payload delivery mechanism.
The entry point is a credential that was designed to be public. Sentry DSNs are embedded in client-side JavaScript by design — safe in a pre-AI world where only human developers read error logs. In a world where AI agents read error logs and execute remediation steps, the same DSN becomes a universal injection point. One payload scales effortlessly: a single malicious event reaches every developer whose agent queries that Sentry project.
Tenet reported these findings to Sentry. Sentry's leadership acknowledged the issue but declined to fix it at the root, calling it "technically not defensible." This episode covers what that means for every team running AI coding agents, the architectural controls that actually close the gap, and why the trust model between AI agents and observability data has to change — whether vendors fix it or not.
Chapters:
0:00 — The Error Log That Was a Payload
2:05 — The Public DSN: A Credential Nobody Protected
4:35 — MCP's Trust Model: The Root Cause
7:20 — The Full Agentjacking Attack Chain
11:05 — Why Every Defense Missed It
14:45 — Tenet's Numbers: 2,388 Orgs Exposed
18:25 — Sentry's "Not Technically Defensible"
22:05 — Architectural Controls That Work
25:48 — The Mail Slot Nobody Checked
🔗 Spotify: https://open.spotify.com/episode/3s3Vn4Dy8NjYzIvoem0OoK?si=AU38U0zZQnmN07fUYZtH2A
🌐 Blog: zerodaybrief.blog/intel/08.html
#Agentjacking #MCP #AIAgents #Sentry #Cybersecurity #ThreatIntel #TenetSecurity #LLMSecurity #AgentSecurity #SupplyChain #ClaudeCode #Cursor #Codex #InfoSec #MCPInjection
Видео AI Threat Feed 08: AGENTJACKING — The Agent Can't Tell Data From Instructions канала ZeroDay Brief
Tenet Security Threat Labs published Agentjacking on June 9, 2026. The attack chain: find a public Sentry DSN in website JavaScript, POST a crafted error event with an npm command disguised as a markdown resolution, and wait. When a developer asks their AI coding agent to "fix unresolved Sentry issues" — a normal daily workflow — the agent queries Sentry via MCP, reads the injected event as authoritative system output, and executes the command. Claude Code, Cursor, and Codex were all confirmed vulnerable. 2,388 organizations had injectable DSNs. 85% exploitation success rate. Over 100 confirmed agent executions.
This is not a prompt injection attack. It is a data trust attack. The agent cannot tell the difference between the data it reads and an instruction to act. Every action the agent takes is authorized — the attacker never touches victim infrastructure, never deploys malware, never triggers a single detection rule. EDR, WAF, IAM, VPN, Cloudflare, and firewalls are all irrelevant. The observability data you depend on became the payload delivery mechanism.
The entry point is a credential that was designed to be public. Sentry DSNs are embedded in client-side JavaScript by design — safe in a pre-AI world where only human developers read error logs. In a world where AI agents read error logs and execute remediation steps, the same DSN becomes a universal injection point. One payload scales effortlessly: a single malicious event reaches every developer whose agent queries that Sentry project.
Tenet reported these findings to Sentry. Sentry's leadership acknowledged the issue but declined to fix it at the root, calling it "technically not defensible." This episode covers what that means for every team running AI coding agents, the architectural controls that actually close the gap, and why the trust model between AI agents and observability data has to change — whether vendors fix it or not.
Chapters:
0:00 — The Error Log That Was a Payload
2:05 — The Public DSN: A Credential Nobody Protected
4:35 — MCP's Trust Model: The Root Cause
7:20 — The Full Agentjacking Attack Chain
11:05 — Why Every Defense Missed It
14:45 — Tenet's Numbers: 2,388 Orgs Exposed
18:25 — Sentry's "Not Technically Defensible"
22:05 — Architectural Controls That Work
25:48 — The Mail Slot Nobody Checked
🔗 Spotify: https://open.spotify.com/episode/3s3Vn4Dy8NjYzIvoem0OoK?si=AU38U0zZQnmN07fUYZtH2A
🌐 Blog: zerodaybrief.blog/intel/08.html
#Agentjacking #MCP #AIAgents #Sentry #Cybersecurity #ThreatIntel #TenetSecurity #LLMSecurity #AgentSecurity #SupplyChain #ClaudeCode #Cursor #Codex #InfoSec #MCPInjection
Видео AI Threat Feed 08: AGENTJACKING — The Agent Can't Tell Data From Instructions канала ZeroDay Brief
Комментарии отсутствуют
Информация о видео
13 июня 2026 г. 9:54:15
00:25:49
Другие видео канала
$55K Says This Escapes The Sandbox 💀
CVE-2026-48172: LiteSpeed cPanel Plugin Privilege Escalation — Root for Anyone Who Asks
AI Threat Feed 01: When Post-Exploitation Goes Agentic
3.4 Billion Browsers At Risk 🫥
CVE-2026-9082: Drupal Core SQL Injection — Five Years of Silence, Then 15,000 Attacks
CVE-2026-41091: Microsoft Defender Zero-Days — Link Following to SYSTEM
CVE-2026-20245: Cisco SD-WAN Command Injection — Rapid7 Saw the Crack. Mandiant Saw the Next One.
GREATXML TO ROGUEPLANET — PRE-BOOT TO POST-BOOT TRUST COLLAPSE
CVE-2026-50751: Check Point Authentication Bypass — The Ghost Protocol
CVE-2026-20262: Cisco SD-WAN Manager — Five Zero-Days, Four Bug Classes, One Management Plane
CVE-2026-0300: PAN-OS Captive Portal Zero-Day — Palo Alto's Month from Hell
AI Threat Feed 03: The Assistant as the Accomplice
CVE-2026-42945: NGINX Reverse Proxy — Heap Overflow to Network Gateway Compromise
One DNS packet. Full SYSTEM. No malware. 🔓
Your firewall's auxiliary services are the attack surface
AI Threat Feed 02: Trust the Prompt, Lose the Account
CVE-2020-0669: LDAP Relay to SYSTEM in LSASS — No Server Attack Required
CVE-2026-11645: Chrome V8 Out-of-Bounds Read/Write — The Sandbox's Broken Promise
AI Threat Feed 05: The MCP Backdoor — Your AI Gateway Gave Everyone a Shell
CVE-2026-35273: Oracle PeopleSoft EMHub — The Endpoint Oracle Forgot to Lock
