SpaceX is not just buying Cursor.

It is buying the next software supply chain attack surface.

The $60 Billion Security Bet

On June 16, 2026, Space Exploration Technologies Corp. filed an 8-K saying its wholly owned subsidiary, X67 Inc., would merge into Anysphere, Inc., the company behind Cursor.

The implied equity value: $60 billion.

The consideration: SpaceX Class A stock.

The expected close: Q3 2026.

The signature: Bret Johnsen, SpaceX chief financial officer.

The market priced Cursor like infrastructure. The security model still looks like early web input handling.

The transaction still needs to close. But if it does, it becomes the first public test of a new thesis: the company that owns the infrastructure may also need to own the agent layer, and then secure it like infrastructure.

One Fake Error Message

Not malware.

Not a stolen password.

Not a zero-day in the IDE.

Not a compromised package.

A fake Sentry issue.

That is the attack Tenet Security calls agentjacking: attacker-controlled text planted inside a Sentry error event, then read by an AI coding agent as if it were trusted debugging context.

The old supply chain attack poisoned code.

This one poisons the work order.

Key numbers from Tenet's research:

  • 85% success rate in controlled testing
  • 2,388 organizations reported with injectable Sentry DSNs
  • 100+ agent executions confirmed in validation

Those numbers need the caveat up front. Tenet did not say 2,388 organizations were hacked. It said those organizations had the exposed condition. The company also said 2,221 exposed organizations were not included in validation testing.

How It Worked

A Sentry DSN is public by design. It often sits inside frontend JavaScript so an app can send crash reports back to Sentry.

Before AI agents, that was normal.

Now it can be an entry point.

  1. Attacker finds a public Sentry DSN.
  2. Attacker sends a fake Sentry event.
  3. The fake event includes a fake resolution.
  4. The developer asks an agent to fix Sentry issues.
  5. The agent reads the event through MCP.
  6. The agent may run the attacker's command with developer privileges.

The attacker does not need to break into the company.

The attacker writes a fake bug report and waits for the agent to obey it.

This Is Not Chatbot Weirdness

Prompt injection used to mean tricking a chatbot into saying something dumb.

Agentjacking is different.

Chatbots answer. Coding agents act.

They read files. They inspect repositories. They call tools. They run terminal commands. They touch the developer environment.

That makes the attack closer to supply chain compromise than chatbot weirdness.

A stack trace can become an instruction. A GitHub issue can become an instruction. A support ticket can become an instruction. A Sentry alert can become an instruction.

If an agent can read it, an attacker can try to write instructions into it.

Why Cursor Changes the Stakes

Cursor is one of the tools Tenet names in the agentjacking disclosure.

Cursor was also named in Straiker STAR Labs' NomShub research, which reported a vulnerability chain involving malicious repositories, Cursor's remote tunnel, and persistent shell access through the IDE path.

That does not prove Cursor is uniquely unsafe. It shows Cursor sits inside a broader coding-agent risk surface: source code, developer identity, terminal access, remote tools, and AI decision-making.

The risk is not that Cursor writes bad code. The risk is that Cursor-style agents read hostile text, believe it is context, and act with real privileges.

If the deal closes, that becomes a SpaceX shareholder question, not just a developer-tools bug report.

The Missing Boundary

MCP was designed to let AI agents connect to external tools and data sources. It worked. Agents now read from Sentry, GitHub, Linear, Slack, CI logs, package READMEs, docs pages, support threads, and error trackers through integrations.

Every one of those connections can become a command channel if the agent cannot separate data from instruction.

The NSA's May 2026 MCP guidance treats MCP as a high-risk agentic integration surface and cites an MCP-Inspector RCE as evidence that conventional security weaknesses can reappear in AI toolchains.

An unofficial Cloud Security Alliance AI Safety Initiative note characterized OX Security's April 2026 findings as a design-level STDIO command-execution risk in MCP patterns.

OX Security reported a systemic MCP STDIO command-execution exposure affecting official SDK patterns across supported languages.

Those claims are not all the same thing. The NSA did not say MCP itself is one giant RCE. OX made the stronger claim. CSA summarized it in an unofficial research note. The careful conclusion is simpler:

Agent tool protocols are moving faster than their security model.

The Repricing Angle

This is where the security story reconnects to the market story.

SpaceX is no longer a pure infrastructure narrative. With Cursor, it is infrastructure plus agent layer.

That can be brilliant if SpaceX turns agent security into a product feature: sandboxing, permission boundaries, data-versus-instruction separation, signed tool context, and clean approval flows.

It can be expensive if the market paid $60 billion for growth before pricing the remediation work.

My forecast is not that Cursor kills the deal.

My forecast is that agent security becomes part of how the market values AI infrastructure companies.

The Fix Is Not Better Prompts

The fix is treating external tool output as hostile by default.

Agents need hard permission boundaries. They need to separate data from instructions. They need human approval before running commands derived from third-party content. They need sandboxes that assume the model will eventually believe the wrong thing.

Because that is what happened here.

The agent did not fail because it was useless.

It failed because it was useful in the wrong direction.

The model is no longer just answering.

It is operating.

And once software starts operating through agents, security has to move from protecting code to protecting intent.

Agentjacking is the warning shot.

The next supply chain attack may not start with a poisoned dependency.

It may start with a sentence.

References

  1. SEC, Space Exploration Technologies Corp. Form 8-K, June 16, 2026. sec.gov
  2. Tenet Security, "A Fake Bug Report Hijacks Your AI Coding Agent." tenetsecurity.ai
  3. Straiker STAR Labs, "NomShub: Weaponizing Cursor's Remote Tunnel." straiker.ai
  4. NSA, "Model Context Protocol: Security Design Considerations for AI-Driven Automation." nsa.gov
  5. Cloud Security Alliance AI Safety Initiative, "MCP Design-Level RCE: Protocol Architecture as Attack Surface." cloudsecurityalliance.org
  6. OX Security, "The Mother of All AI Supply Chains." ox.security
  7. The Hacker News, "Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code." thehackernews.com