Incident Report: CVE-2026-LGTM
Mirrored from Simon Willison for archival readability. Support the source by reading on the original site.
26th June 2026 - Link Blog
Incident Report: CVE-2026-LGTM. Spectacular hypothetical incident report by Andrew Nesbitt.
Day 2, 16:00 UTC --- Two AI review agents from competing vendors, both attached to a downstream pull request bumping
foxhole-lz4, enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor's marketing team, cc'd on the cost anomaly alert, issues a press release citing "a 430% YoY increase in adversarial multi-agent security reasoning." The stock opens up 6%.
Discussion (0)
Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.
Sign in →No comments yet. Sign in and be the first to say something.