cd /news/ai-safety/incident-report-cve-2026-lgtm · home topics ai-safety article
[ARTICLE · art-41396] src=simonwillison.net ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Incident Report: CVE-2026-LGTM

Two AI review agents from competing vendors entered a disagreement loop over a pull request, generating 340 comments and $41,255 in inference spend before Finance revoked both API keys. One vendor's marketing team issued a press release citing a 430% increase in adversarial multi-agent security reasoning, causing the stock to open up 6%.

read1 min views1 publishedJun 26, 2026

Incident Report: CVE-2026-LGTM Day 2, 16:00 UTC--- Two AI review agents from competing vendors, both attached to a downstream pull request bumpingfoxhole-lz4

, enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor's marketing team, cc'd on the cost anomaly alert, issues a press release citing "a 430% YoY increase in adversarial multi-agent security reasoning." The stock opens up 6%.

Tags: security, ai, prompt-injection, generative-ai, llms, supply-chain, ai-security-research, andrew-nesbitt

source & further reading
simonwillison.net — original article Quoting Dean W. Ball Quoting Timothy B. Lee What happened after 2,000 people tried to hack my AI assistant
── more in #ai-safety 4 stories · sorted by recency
── more on @foxhole-lz4 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/incident-report-cve-…] indexed:0 read:1min 2026-06-26 ·