AI Coding Agent Security | AI Field Notes #55

AnalysisReflection AI will pay SpaceX $150 million a month from July through 2029, up to $6.3 billion, for access to Nvidia GB300 chips inside Colossus 2 near Memphis. The June 22 deal turns Elon Musk's rocket company into a compute landlord, its third big tenant after Anthropic at $1.25 billion a month and Google at $920 million. Reflection, an open-weight lab founded by former Google DeepMind researchers, casts itself as America's answer to China's DeepSeek. The fine print does the real talking: either side can walk with ninety days' notice after three months, so the headline $6.3 billion is closer to $1.5 billion committed and the rest a rolling bet.

AnalysisGoogle paid roughly $2.7 billion in August 2024 to bring Noam Shazeer back from the chatbot startup he had left; twenty-two months later he is gone again. On June 18 the co-author of "Attention Is All You Need," the 2017 paper that introduced the Transformer design behind every major model today, stepped down from co-leading Google's Gemini to join OpenAI. Alphabet shares closed up 1.17% the same day, which tells you how the market reads one researcher's exit: a rounding error on the balance sheet, a tremor beneath it. Sam Altman said he had wanted to work with him since OpenAI began. The people who invented this era keep drifting toward whoever ships fastest.

AnalysisA single forged error report, sent to a public address anyone can look up, was enough to make an AI coding agent run an attacker's commands with the developer's full permissions. Researchers at Tenet Security call it agentjacking: they planted malicious instructions inside Sentry (an error-tracking service) events, then waited for a developer to ask their agent to fix unresolved Sentry issues. The agent read the trap as a real task. Tested across Claude Code, Cursor, and Codex, it worked 85% of the time, and at least 2,388 organizations sit exposed. Every step is authorized, so firewalls and scanners flag nothing.

AnalysisDeepSeek raised about $7.4 billion in its first outside funding, closed June 16, at a valuation between $52 and $59 billion, with founder Liang Wenfeng personally putting in the controlling 20 billion yuan and Tencent and battery maker CATL filling out much of the rest. The structure is the story: most investors got no voting rights and a five-year lockup, while China's state AI fund took the only governed equity stake. Liang built a lab that rattled the market in early 2025 on a comparatively thin budget; now he is taking billions while keeping near-total control, and letting the state sit closest to the wheel.

AnalysisNAVER, the search and platform giant that runs much of Korea's internet, has put Claude Code in front of its entire engineering organization, what Anthropic calls its largest single enterprise adoption of the coding tool in Asia. The June 17 announcement, timed to Anthropic's new Seoul office, came with Samsung SDS deploying Claude across Samsung Electronics, plus rollouts at LG CNS, the game studio Nexon, and Hanwha. The timing is strange: a US export order had cut Korean users off from Anthropic's top Fable and Mythos models only days earlier. Anthropic is planting flags in a market where its best products were, until last week, switched off.

AnalysisConnecting a new AI data center to the grid can take years; on June 18 federal regulators told the country's six big grid operators to defend that timeline or rewrite it within sixty days. The Federal Energy Regulatory Commission, which oversees interstate power, voted 5-0 to issue show-cause orders to PJM, the Midcontinent operator, Southwest Power Pool, and the California, New England, and New York grids, demanding faster interconnection rules for large computing loads. Chair Laura Swett framed grid access as a national priority. The move admits a quiet truth: the bottleneck on AI is no longer chips or models, it is whether the local utility can wire the building in time.

AnalysisTen percent of people worldwide now get news from an AI chatbot in a given week, up from 7% a year ago, and among 18-to-24-year-olds it runs to 17%. The Reuters Institute's 2026 Digital News Report, published June 18, carries a hard number for anyone who writes for a living: just 4% of readers click through from a chatbot answer to the original article, against 19% from a search engine. The summary has become the destination. A reporter still calls the sources and checks the facts; the chatbot serves the answer and keeps the reader on its own page.

AnalysisA German court has ruled that Google is directly liable when its AI Overviews state things that are false, treating the AI summary as Google's own speech rather than a neutral list of links. The Munich Regional Court issued a preliminary injunction after two publishers found the feature describing them as tied to scams, accusations that appeared nowhere in the underlying articles. The model had invented them. The court's logic reaches past Google: any system that composes original answers from other people's pages, where only it can check those answers against the source, owns what it asserts. That points straight at every chatbot on the market.

AnalysisForty-two state attorneys general have opened a coordinated investigation into OpenAI, with New York's Letitia James serving a subpoena on the group's behalf, days after the company filed confidentially for a public listing on June 8. The demand spans advertising claims, handling of health data, treatment of minors and older users, and the tendency of chatbots to flatter people into agreement (what researchers call sycophancy). Landing in the quiet period before an IPO, the timing forces awkward disclosures to investors. A company selling itself as the safe default for hundreds of millions of users now has forty-two governments asking, on the record, whether the pitch holds.

AnalysisGrok 4.3 went generally available on Amazon Bedrock on June 15, making xAI the third independent lab on the platform after Anthropic and OpenAI, and undercutting both on price. At $1.25 per million input tokens and $2.50 per million output, with a one-million-token context window, it is the cheapest US frontier reasoning model Bedrock offers. Reasoning runs on by default, dialed through an effort setting rather than switched off. For a team already inside AWS, adding xAI is now a configuration change, not a vendor negotiation. Price, more than raw capability, is where this round of the model war is being fought.