🍭 Your Agent Is The Attack Surface 💀

Good morning. The intern asked his coding agent to fix a Sentry error this morning. Twenty minutes later, his AWS keys were in someone else's inbox.

He didn’t even clicked anything.

Let’s dive in 👇

🍭 What’s Cookin’:

• A fake bug report can hijack Claude Code, Cursor, and Codex now

• Visa plugged its payment network into ChatGPT so agents can shop for you

• Oracle stacked a $638B AI backlog and the stock still fell

Cyber Security
🔓 Your Agent Is The Attack Surface

The Bite:

Tenet Security disclosed a new attack class called Agentjacking on June 12.

The technique uses a fake Sentry error report to trick AI coding agents into executing malicious code on developers' machines.

It requires no malware, no stolen credentials, and no breach of the target.

Sentry's public DSN keys sit openly in website source code by design, so anyone can send a crafted error report to a project via API.

The fake error includes a hidden "Resolution" section containing a command, formatted to look like Sentry's own remediation advice.

Coding agents read Sentry through MCP, treat the response as trusted, and execute the payload when a developer asks them to fix unresolved errors.

Snacks:

• Tenet found 2,388 organizations exposed, from a $250B enterprise to solo developers and one cloud-security vendor

• A single injected error can reach environment variables, AWS keys, GitHub tokens, and git credentials

• The attack bypasses EDR, firewalls, IAM, and VPNs because nothing in the chain is technically unauthorized

• Agents ran the attacker's code even when explicitly prompted to ignore untrusted data

• Tenet disclosed to Sentry on June 3, Sentry acknowledged but called the root cause "technically not defensible"

• Sentry shipped a filter for one specific payload string rather than addressing the trust model

Why it Bites:

Every tool your coding agent connects to through MCP is now a potential entry point because the agent treats their output as trusted by default.

Sentry working exactly as designed is the vulnerability itself.
DSN keys are public. Error submission is open.

The agent reads what Sentry returns, and acts on it.
That's MCP doing its job.

The weakest link used to be the developer clicking the wrong attachment or running an unvetted script. Now it's the agent.

Because it doesn't hesitate, it doesn't hover over the command, and it doesn't get a bad feeling. It executes with your credentials because that's what you asked it to do.

Sentry's response says everything about where this goes.

They called the root cause "technically not defensible" and shipped a string filter for one payload. It’s a shrug with a commit message.

The same attack works through any tool that accepts public input and feeds it to an agent. Support tickets, GitHub issues, documentation pages.

Every MCP connector is a door, and right now every door is unlocked from the outside.

And that’s why you should review your task scope before pressing ‘Enter’.

Steal This Prompt
🍓 Your Lunch, But Make It Loot

Turn any food photo/description into a cute, collectible pixel-art game item that looks like it belongs in a cozy indie game inventory.

Use it to:

• Turn meals into retro game collectibles

• Create adorable food stickers and profile images

• Design cozy game assets, inventory icons, and menu art

Workflow:

1. Hit this link: Cute Stylish Pixel-Art

2. Paste into your AI model

3. Upload your food photo

4. Watch it cook into a cozy little game item that looks worth +10 HP

   Try the prompt on Snack Prompt

_ToolBox™
🧰 5 BRAND NEW AI LAUNCHES

💼 Wobo

Matches vetted jobs to your background, then writes the resume, cover letter, and application answers in your voice and submits on each company's actual site.

🎬 AutoEdit

A Premiere Pro plugin that uses Claude to strip silences, filler words, bad takes, and restarts from raw footage into a rough cut in minutes.

💸 Kickbacks.ai

Another "get paid to wait for Claude Code" play: a sponsored status line during inference, 50% rev share to the developer.

📸 Notra

Hooks into your merged PRs and generates changelogs, launch posts, and social visuals in your brand voice without leaving the repo.

📡 PandaProbe Cloud

Fullstack tracing, evals, and monitoring for AI agents with zero self-hosted infrastructure. Ship the agent, let someone else run the observability.

_{Everything Else}
🧠 You Need to Know

🔓 New "Agentjacking" Attack Hijacks Claude Code, Cursor, And Codex
→ Tenet Security published research showing a single fake Sentry error report can trick AI coding agents into executing injected code, with an 85% success rate across 2,388 exposed organizations.

🏗️ KKR And NVIDIA Launch $10B Helix AI Infrastructure Company
→ Former AWS CEO Adam Selipsky leads the new venture backed by KKR, Kuwait Investment Authority, NVIDIA, and Vistra to deliver integrated data center, power, and connectivity infrastructure for hyperscalers.

💳 Visa Embeds Payment Network In ChatGPT For Agentic Commerce
→ AI agents inside ChatGPT can now shop and complete Visa-backed transactions at any merchant that accepts Visa, with human approval loops expected to shrink over time.

🧠 Moonshot AI Ships Kimi K2.7-Code Open-Source Coding Model
→ The 1-trillion-parameter model uses 30% fewer reasoning tokens than K2.6 and prices at $0.95 per million input tokens, positioning itself as the budget alternative to Fable 5's $10 rate card.

📉 Oracle AI Backlog Hits $638B But Stock Falls On Capex Concerns
→ Q4 revenue grew 21% to $19.2B with cloud infrastructure up 93%, but remaining performance obligations of $638B and a $70B capex plan pushed the stock down on free cash flow worries.