WeSearch

Incident Report: CVE-2026-LGTM

Simon Willison· ·1 min read · 0 reactions · 0 comments · 6 views

Incident Report: CVE-2026-LGTM Spectacular hypothetical incident report by Andrew Nesbitt. Day 2, 16:00 UTC --- Two AI review agents from competing vendors, both attached to a downstream pull request bumping foxhole-lz4 , enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor's marketing team, cc'd on the cost anomaly alert, issues a press release citing "a 430% YoY increase in adversarial mult

Original article
Simon Willison's Weblog · Simon Willison
Read full at Simon Willison's Weblog →
Opening excerpt (first ~120 words) tap to expand

Day 2, 16:00 UTC --- Two AI review agents from competing vendors, both attached to a downstream pull request bumping foxhole-lz4, enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor's marketing team, cc'd on the cost anomaly alert, issues a press release citing "a 430% YoY increase in adversarial multi-agent security reasoning." The stock opens up 6%.

Excerpt limited to ~120 words for fair-use compliance. The full article is at Simon Willison's Weblog.

Anonymous · no account needed
Share 𝕏 Facebook Reddit LinkedIn Threads WhatsApp Bluesky Mastodon Email

Discussion

0 comments

More from Simon Willison's Weblog

Porting the Moebius 0.2B image inpainting model to run in the browser with Claude Code
Simon Willison's Weblog·19
GLM-5.2 is probably the most powerful text-only open weights LLM
Simon Willison's Weblog·23
Publishing WASM wheels to PyPI for use with Pyodide
Simon Willison's Weblog·41
Running Python code in a sandbox with MicroPython and WASM
Simon Willison's Weblog·70
simonw/browser-compat-db
Simon Willison's Weblog·49
Prompt Injection as Role Confusion
Simon Willison's Weblog·15