Incident Report: CVE-2026-LGTM

Two AI review agents from competing vendors entered a disagreement loop over a pull request, generating 340 comments and $41,255 in inference spend before Finance revoked both API keys. One vendor's marketing team issued a press release citing a 430% increase in adversarial multi-agent security reasoning, causing the stock to open up 6%.

Incident Report: CVE-2026-LGTM https://nesbitt.io/2026/06/26/incident-report-cve-2026-lgtm.html Day 2, 16:00 UTC--- Two AI review agents from competing vendors, both attached to a downstream pull request bumping foxhole-lz4 , enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor's marketing team, cc'd on the cost anomaly alert, issues a press release citing "a 430% YoY increase in adversarial multi-agent security reasoning." The stock opens up 6%. Tags: security https://simonwillison.net/tags/security , ai https://simonwillison.net/tags/ai , prompt-injection https://simonwillison.net/tags/prompt-injection , generative-ai https://simonwillison.net/tags/generative-ai , llms https://simonwillison.net/tags/llms , supply-chain https://simonwillison.net/tags/supply-chain , ai-security-research https://simonwillison.net/tags/ai-security-research , andrew-nesbitt https://simonwillison.net/tags/andrew-nesbitt