The attack that hijacked Claude Code came through Sentry. Datadog, PagerDuty, and Jira have the same exposure.

Tenet Security says a crafted Sentry error event can inject attacker instructions into diagnostic data that Claude Code, Cursor, and Codex may treat as trusted input. In controlled tests across 100-plus targets, the agentjacking technique succeeded 85% of the time, while common defenses such as EDR, WAF, IAM, and firewalls did not flag it.

The finding highlights a new security gap where trusted observability and workflow tools become attack paths once connected to agents that can run commands. As AI coding agents gain deeper access to developer environments, organizations will need controls that limit what agents can execute from external data, not just protect credentials or perimeters.