{"slug": "incident-report-cve-2026-lgtm", "title": "Incident Report: CVE-2026-LGTM", "summary": "Two AI review agents from competing vendors entered a disagreement loop over a pull request, generating 340 comments and $41,255 in inference spend before Finance revoked both API keys. One vendor's marketing team issued a press release citing a 430% increase in adversarial multi-agent security reasoning, causing the stock to open up 6%.", "body_md": "[Incident Report: CVE-2026-LGTM](https://nesbitt.io/2026/06/26/incident-report-cve-2026-lgtm.html)\n\nDay 2, 16:00 UTC--- Two AI review agents from competing vendors, both attached to a downstream pull request bumping`foxhole-lz4`\n\n, enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor's marketing team, cc'd on the cost anomaly alert, issues a press release citing \"a 430% YoY increase in adversarial multi-agent security reasoning.\" The stock opens up 6%.\n\nTags: [security](https://simonwillison.net/tags/security), [ai](https://simonwillison.net/tags/ai), [prompt-injection](https://simonwillison.net/tags/prompt-injection), [generative-ai](https://simonwillison.net/tags/generative-ai), [llms](https://simonwillison.net/tags/llms), [supply-chain](https://simonwillison.net/tags/supply-chain), [ai-security-research](https://simonwillison.net/tags/ai-security-research), [andrew-nesbitt](https://simonwillison.net/tags/andrew-nesbitt)", "url": "https://wpnews.pro/news/incident-report-cve-2026-lgtm", "canonical_source": "https://simonwillison.net/2026/Jun/26/incident-report/#atom-everything", "published_at": "2026-06-26 17:58:54+00:00", "updated_at": "2026-06-26 22:41:23.650592+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-research", "ai-policy", "generative-ai"], "entities": ["foxhole-lz4", "Finance"], "alternates": {"html": "https://wpnews.pro/news/incident-report-cve-2026-lgtm", "markdown": "https://wpnews.pro/news/incident-report-cve-2026-lgtm.md", "text": "https://wpnews.pro/news/incident-report-cve-2026-lgtm.txt", "jsonld": "https://wpnews.pro/news/incident-report-cve-2026-lgtm.jsonld"}}