Public Sentry DSN can hijack MCP agents …

SENTRY PUB_DATE: 2026.06.22

PUBLIC SENTRY DSN CAN HIJACK MCP AGENTS IN CLAUDE CODE, CURSOR, AND CODEX

A new report shows a public Sentry DSN can hijack MCP-enabled agents in Claude Code, Cursor, and Codex. The New Stack details an agentjacking path where a publ...

A new report shows a public Sentry DSN can hijack MCP-enabled agents in Claude Code, Cursor, and Codex.

The New Stack details an agentjacking path where a publicly exposed Sentry key lets attackers hijack MCP-integrated agents across IDEs and app shells, including Claude Code, Cursor, and Codex report. If you wire Sentry DSNs into agent plugins or MCP servers, treat them like credentials and lock down where events can be sent from and to.

On the ops side, the latest Antigravity skills drop ships an audit-friendly workflow reconstructor and remote GPU orchestration v13.1.0. 9router added native Antigravity image model support and safer tool normalization for Codex requests v0.5.8. There’s also an active thread on governing overlapping Codex skills at scale discussion.

[ WHY_IT_MATTERS ]

01.

Agent IDEs and MCP servers inherit your telemetry surface; a leaked Sentry DSN can become an agent control channel.

02.

Skill catalogs are growing fast; you need audit trails and egress controls to prevent silent tool hijacks.

[ WHAT_TO_TEST ]

terminal
Intentionally swap a fake Sentry DSN in a non-prod MCP server and verify agents can’t exfiltrate or receive prompts/events (block by egress rules).
terminal
Run ax-extract-workflow on recent agent sessions and confirm you can trace tool calls, DSN use, and data paths end-to-end.

[ BROWNFIELD_PERSPECTIVE ]

Legacy codebase integration strategies...

01.
Rotate Sentry DSNs, remove DSNs from public configs, and restrict outbound egress from MCP servers and IDE agents.
02.
Pin allowed MCP servers and plugins; disable ad-hoc installs in IDEs; add DSN validation and domain allowlists in CI.

[ GREENFIELD_PERSPECTIVE ]

Fresh architecture paradigms...

01.
Design agent stacks with separate telemetry tenants per env/team and signed MCP servers.
02.
Adopt workflow reconstruction and skill governance from day one; require codeowner reviews for new skills/tools.

Enjoying_this_story?

Get daily SENTRY + SDLC updates.

Practical tactics you can ship tomorrow
Tooling, workflows, and architecture notes
One short email each weekday

arrow_back

PREVIOUS_DATA_LOG

Codex instability: Windows memory leak, routing mismatch, and token spikes put rollouts at risk

Initialize_Return_to_Core

LINK_STATUS: 127.0.0.1 (SECURE)

NEXT_DATA_LOG

Stop shipping more agents. Build the control plane.

arrow_forward