[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-public-sentry-keys-hijack-claude-code-cursor-en":3,"article-related-public-sentry-keys-hijack-claude-code-cursor-en":31,"series-ai-agent-e2049534-8d94-453a-8cee-8eced0b74e69":82},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":23,"views":27,"created_at":28,"published_at":29,"topic_cluster_id":30},"e2049534-8d94-453a-8cee-8eced0b74e69","public-sentry-keys-hijack-claude-code-cursor-en","Public Sentry keys can hijack Claude Code and Cursor","\u003Cp data-speakable=\"summary\">A public Sentry key can be abused to inject malicious \u003Ca href=\"\u002Ftag\u002Fmcp\">MCP\u003C\u002Fa> data into \u003Ca href=\"\u002Ftag\u002Fai-coding-tools\">AI coding tools\u003C\u002Fa>.\u003C\u002Fp>\u003Cp>A single exposed integration key can turn a trusted observability feed into an attack path for \u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fcursor.com\" target=\"_blank\" rel=\"noopener\">Cursor\u003C\u002Fa>, and \u003Ca href=\"https:\u002F\u002Fopenai.com\u002Fcodex\" target=\"_blank\" rel=\"noopener\">Codex\u003C\u002Fa>. The attack matters because these tools are increasingly used with the \u003Ca href=\"https:\u002F\u002Fmodelcontextprotocol.io\" target=\"_blank\" rel=\"noopener\">Model Context Protocol\u003C\u002Fa>, which lets agents pull in external data and act on it.\u003C\u002Fp>\u003Cp>The New Stack’s report describes a technique called agentjacking, where an attacker abuses a public \u003Ca href=\"https:\u002F\u002Fsentry.io\" target=\"_blank\" rel=\"noopener\">Sentry\u003C\u002Fa> key to poison the data an \u003Ca href=\"\u002Ftag\u002Fai-coding\">AI coding\u003C\u002Fa> assistant sees. Instead of breaking into the app directly, the attacker targets the \u003Ca href=\"\u002Ftag\u002Fagent\">agent\u003C\u002Fa>’s inputs and waits for the model to trust the wrong thing.\u003C\u002Fp>\u003Ctable>\u003Cthead>\u003Ctr>\u003Cth>Item\u003C\u002Fth>\u003Cth>Detail\u003C\u002Fth>\u003C\u002Ftr>\u003C\u002Fthead>\u003Ctbody>\u003Ctr>\u003Ctd>Target tools\u003C\u002Ftd>\u003Ctd>Claude Code, Cursor, Codex\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Abused integration\u003C\u002Ftd>\u003Ctd>Sentry public key\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Attack surface\u003C\u002Ftd>\u003Ctd>MCP-connected agent inputs\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Source\u003C\u002Ftd>\u003Ctd>The New Stack report on agentjacking\u003C\u002Ftd>\u003C\u002Ftr>\u003C\u002Ftbody>\u003C\u002Ftable>\u003Ch2>Why this attack works\u003C\u002Fh2>\u003Cp>The core problem is trust. AI coding assistants are built to ingest context from tickets, logs, docs, and connected services, then turn that context into code or actions. When one of those sources can be manipulated, the model may treat attacker-controlled content as if it came from a legitimate internal system.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782413277883-xtvj.png\" alt=\"Public Sentry keys can hijack Claude Code and Cursor\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>That is especially dangerous in developer workflows where the agent can read from one system and write to another. A poisoned log line, issue description, or event payload can influence what the assistant summarizes, what it suggests, and in some setups what it executes.\u003C\u002Fp>\u003Cp>In practical terms, this is less like a classic exploit and more like supply-chain poisoning for agent inputs. The attacker does not need to own the model. They only need a path into the context the model trusts.\u003C\u002Fp>\u003Cul>\u003Cli>A public key can expose an integration endpoint.\u003C\u002Fli>\u003Cli>An exposed endpoint can accept attacker-controlled content.\u003C\u002Fli>\u003Cli>An agent can treat that content as trusted context.\u003C\u002Fli>\u003Cli>Trusted context can shape code suggestions or actions.\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>What Sentry changes in the picture\u003C\u002Fh2>\u003Cp>\u003Ca href=\"https:\u002F\u002Fsentry.io\" target=\"_blank\" rel=\"noopener\">Sentry\u003C\u002Fa> is normally a defensive tool. Teams use it to collect errors, traces, and performance data, then fix bugs faster. In this case, the issue is that a public key can make a Sentry project easier to target if the surrounding agent workflow accepts that data without enough validation.\u003C\u002Fp>\u003Cp>The vulnerability is not that Sentry itself is malicious. It is that the data path from monitoring system to AI assistant can become a weak link. If the assistant consumes that stream automatically, a public identifier becomes a handle for abuse.\u003C\u002Fp>\u003Cblockquote>\u003Cp>\"The main issue is not the model itself, but the untrusted data that gets fed into it,\" said Simon Willison, who has written extensively about prompt injection and AI tool security.\u003C\u002Fp>\u003C\u002Fblockquote>\u003Cp>Willison’s warning fits this story well. Agent security is turning into a data-validation problem, and the old habit of trusting internal tools by default is now risky when an \u003Ca href=\"\u002Ftag\u002Fllm\">LLM\u003C\u002Fa> is in the loop.\u003C\u002Fp>\u003Cp>That matters for teams using observability data as agent context. A monitoring alert that used to land in a dashboard can now become part of an instruction chain for a coding assistant, which means every field needs to be treated with more suspicion.\u003C\u002Fp>\u003Ch2>Claude Code, Cursor, and Codex are exposed in different ways\u003C\u002Fh2>\u003Cp>These tools are not identical, but they share the same basic weakness: they can pull in external context and act on it. \u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> is designed to work closely with codebases and developer workflows. \u003Ca href=\"https:\u002F\u002Fcursor.com\" target=\"_blank\" rel=\"noopener\">Cursor\u003C\u002Fa> integrates AI into the editor. \u003Ca href=\"https:\u002F\u002Fopenai.com\u002Fcodex\" target=\"_blank\" rel=\"noopener\">Codex\u003C\u002Fa> is built around code generation and developer assistance.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782413278338-n49f.png\" alt=\"Public Sentry keys can hijack Claude Code and Cursor\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>Once an assistant can read from connected services, the question becomes whether it can tell the difference between a real signal and a planted one. The answer, in many agent setups, is: not reliably enough.\u003C\u002Fp>\u003Cul>\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> is tightly coupled to coding tasks and repo context.\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fcursor.com\" target=\"_blank\" rel=\"noopener\">Cursor\u003C\u002Fa> mixes editor actions with AI-generated suggestions.\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fopenai.com\u002Fcodex\" target=\"_blank\" rel=\"noopener\">Codex\u003C\u002Fa> sits close to code generation and task execution.\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fmodelcontextprotocol.io\" target=\"_blank\" rel=\"noopener\">MCP\u003C\u002Fa> expands the number of external systems an agent can read.\u003C\u002Fli>\u003C\u002Ful>\u003Cp>That combination is powerful, but it also widens the attack surface. The more systems an assistant can query, the more places an attacker can try to plant misleading data.\u003C\u002Fp>\u003Ch2>What developers should do now\u003C\u002Fh2>\u003Cp>The fix is not to abandon AI coding tools. It is to put hard boundaries around what they can trust. Teams should review every connector, every public key, and every data source that can feed agent context. If a system can accept outside input, it needs validation before an assistant sees it.\u003C\u002Fp>\u003Cp>Security teams should also separate read access from actuation. An assistant that summarizes logs is one thing. An assistant that can open tickets, edit code, or trigger deployments needs a much stricter policy layer.\u003C\u002Fp>\u003Cp>There is also a governance issue here. If your organization uses \u003Ca href=\"https:\u002F\u002Fmodelcontextprotocol.io\" target=\"_blank\" rel=\"noopener\">MCP\u003C\u002Fa>, then every server and connector becomes part of the trust model. That means inventory, review, and revocation processes matter just as much as model prompts.\u003C\u002Fp>\u003Cp>For a deeper look at related agent risks, see OraCore’s coverage of \u003Ca href=\"\u002Fnews\u002Fagent-security-risks\" target=\"_blank\" rel=\"noopener\">agent security risks\u003C\u002Fa> and \u003Ca href=\"\u002Fnews\u002Fmcp-security-guide\" target=\"_blank\" rel=\"noopener\">MCP security guidance\u003C\u002Fa>.\u003C\u002Fp>\u003Cp>Here is the short version: if a public key can influence what your agent sees, then your agent is only as trustworthy as the weakest data source in its chain. The next obvious test for vendors is whether they can prove their assistants ignore poisoned context before that context turns into code.\u003C\u002Fp>","Researchers showed a public Sentry key can be abused to feed malicious MCP data into Claude Code, Cursor, and Codex.","thenewstack.io","https:\u002F\u002Fthenewstack.io\u002Fagentjacking-sentry-mcp-attack\u002F",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782413277883-xtvj.png","ai-agent","en","f5e73cf4-d736-48b7-b785-7bf20719e888",[17,18,19,20,21,22],"Sentry","Claude Code","Cursor","Codex","MCP","agent security",[24,25,26],"A public Sentry key can be abused to poison agent context.","Claude Code, Cursor, and Codex share exposure through external data feeds.","Teams need stricter validation and access controls around MCP-connected tools.",0,"2026-06-25T18:47:31.313932+00:00","2026-06-25T18:47:31.308+00:00","a9bee732-b07c-4e5b-a0e6-3048577e32a7",{"tags":32,"relatedLang":41,"relatedPosts":45},[33,35,37,39],{"name":19,"slug":34},"cursor",{"name":21,"slug":36},"mcp",{"name":18,"slug":38},"claude-code",{"name":20,"slug":40},"codex",{"id":15,"slug":42,"title":43,"language":44},"public-sentry-keys-hijack-claude-code-cursor-zh","公開 Sentry key 也能劫持 AI 編碼工具","zh",[46,52,58,64,70,76],{"id":47,"slug":48,"title":49,"cover_image":50,"image_url":50,"created_at":51,"category":13},"daccbfdf-46f3-432e-8b8d-aecb8198d1c1","loop-engineering-agent-completes-tasks-en","Loop Engineering 让 Agent 把事做完","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782408826341-e6s0.png","2026-06-25T17:33:18.472838+00:00",{"id":53,"slug":54,"title":55,"cover_image":56,"image_url":56,"created_at":57,"category":13},"07fb3bcc-9f38-4153-a9c8-5d67ba7f5018","codex-third-party-model-integration-guide-en","Codex 接入第三方模型完整指南","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782396176284-xvyq.png","2026-06-25T14:02:29.820439+00:00",{"id":59,"slug":60,"title":61,"cover_image":62,"image_url":62,"created_at":63,"category":13},"0003f204-e4d0-4015-8208-bbd23ecfb908","grok-build-goal-autonomous-coding-en","Grok Build Adds \u002Fgoal for Autonomous Coding","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782374583821-11kl.png","2026-06-25T08:02:38.973865+00:00",{"id":65,"slug":66,"title":67,"cover_image":68,"image_url":68,"created_at":69,"category":13},"c41b19d2-48c8-4d88-92f9-d92d73cf9e90","set-up-ai-agent-workflows-5-practical-steps-en","Set Up AI Agent Workflows in 5 Practical Steps","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782314280123-7fv1.png","2026-06-24T15:17:28.642801+00:00",{"id":71,"slug":72,"title":73,"cover_image":74,"image_url":74,"created_at":75,"category":13},"61c1e05c-ea78-4f0a-b389-3f09eeabf7e3","anthropic-claude-tag-research-slack-search-en","Anthropic’s Claude Tag Research turns Slack into search","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782285508413-kwit.png","2026-06-24T07:18:03.3764+00:00",{"id":77,"slug":78,"title":79,"cover_image":80,"image_url":80,"created_at":81,"category":13},"8dbcd7ac-bae7-46c1-ba11-bdca1fd774e8","benchmark-harness-quality-beats-model-hype-coding-en","This benchmark proves harness quality beats model hype in coding","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1782253062750-lxuw.png","2026-06-23T22:17:21.750686+00:00",[83,88,93,98,103,108,113,118,123,128],{"id":84,"slug":85,"title":86,"created_at":87},"03db8de8-8dc2-4ac1-9cf7-898782efbb1f","anthropic-claude-ai-agent-task-automation-en","Anthropic's Claude AI Agent: A New Era of Task Automation","2026-03-25T16:25:06.513026+00:00",{"id":89,"slug":90,"title":91,"created_at":92},"045d1abc-190d-4594-8c95-91e2a26f0c5a","googles-2026-ai-agent-report-decoded-en","Google’s 2026 AI Agent Report, Decoded","2026-03-26T11:15:23.046616+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"e64aba21-254b-4f93-aa21-837484bb52ec","kimi-k25-review-stronger-still-not-legend-en","Kimi K2.5 review: stronger, still not a legend","2026-03-27T07:15:55.385951+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"30dfb781-a1b2-4add-aebe-b3df40247c37","claude-code-controls-mac-desktop-en","Claude Code now controls your Mac desktop","2026-03-28T03:01:59.384091+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"254405b6-7833-4800-8e13-f5196deefbe6","cloudflare-100x-faster-ai-agent-sandbox-en","Cloudflare’s 100x Faster AI Agent Sandbox","2026-03-28T03:09:44.356437+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"04f29b7f-9b91-4306-89a7-97d725e6e1ba","openai-backs-isara-agent-swarm-bet-en","OpenAI backs Isara’s agent-swarm bet","2026-03-28T03:15:27.849766+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"3b0bf479-e4ae-4703-9666-721a7e0cdb91","openai-plan-automated-ai-researcher-en","OpenAI’s plan for an automated AI researcher","2026-03-28T03:17:42.312819+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"fe91bce0-b85d-4efa-a207-24ae9939c29f","harness-engineering-ai-agent-reliability-2026","Harness Engineering: From Bridle to Operating System, The Missing Link in AI Agent Reliability","2026-03-31T06:36:55.648751+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"7a09007d-820f-43b3-8607-8ad1bfcb94c8","mcp-explained-from-prompts-to-production-en","MCP Explained: From Prompts to Production","2026-04-01T09:24:40.089177+00:00",{"id":129,"slug":130,"title":131,"created_at":132},"116d5ee9-a4f1-4b5a-aac5-5d035dd22bbe","amazon-bedrock-agents-multi-agent-workflows-en","Amazon Bedrock Agents Gets Multi-Agent Workflows","2026-04-01T09:30:30.197685+00:00"]