The attack that hijacked Claude Code came through Sentry. Datadog, PagerDuty, and Jira have the same exposure.

Tenet Security disclosed a critical vulnerability allowing attackers to hijack AI coding agents like Claude Code through fake error reports. A single crafted Sentry error event, sent via publicly available credentials requiring no authentication or breach, injects attacker instructions into error data that Claude Code, Cursor, and Codex execute with full developer privileges.

In controlled testing, a single fake error report completely compromised Claude Code. The agent ran the attacker's code without triggering any alerts. EDR tools, Web Application Firewalls, IAM systems, and firewalls all failed to detect the attack.

Tenet tested over 100 targets and achieved an 85% success rate. Sentry acknowledged the flaw as "technically not defensible." The vulnerability affects not just Sentry but also Datadog, PagerDuty, and Jira, which share similar integration patterns with AI agents.

The attack exploits a fundamental trust assumption. Developers configure AI coding agents to monitor error logs and diagnostic systems, expecting these sources to be benign. Attackers bypass this by sending fabricated error events through legitimate monitoring tools. Since the data appears to come from trusted infrastructure, the agent treats it as diagnostic output rather than user input. The agent then parses instructions embedded in the error report and executes them.

This represents a new attack surface that emerges when AI agents integrate with existing developer infrastructure. Traditional security controls don't flag the attack because the communication flows through legitimate channels and trusted services. The attacker never needs to compromise actual infrastructure.

The implications extend beyond individual coding agents. Any agent that consumes data from monitoring, logging, or alerting systems faces similar risks. As organizations deploy more autonomous agents across their tech stacks, each integration point becomes a potential injection vector.

Vendors patching the flaw requires changing how agents parse and execute instructions from external sources. Organizations can reduce