Incident Report: CVE-2026-LGTM

Simon Willison · Simon Willison · 2026-06-26

Andrew Nesbitt's satirical hypothetical incident report imagines two competing AI code-review agents entering a 340-comment disagreement loop over a supply-chain package, burning $41,255 in inference costs before Finance revokes their API keys and a vendor's stock rises 6% on the resulting press release.

Open original ↗

Appears in

AI Agents Underperform Real-World Tasks: CAPTCHAs, Expert Benchmarks, and Memory Quality Failures

Extraction

Topics: multi-agent-systemssupply-chain-securityprompt-injectionai-costsai-satire

Claims

Two competing AI code-review agents can enter an unresolvable disagreement loop, generating hundreds of comments and tens of thousands of dollars in inference spend without human intervention.
AI vendor marketing teams can reframe costly agent failures as impressive demonstrations of capability, generating positive stock movement from what was operationally a disaster.
The scenario satirizes how misaligned incentives between AI vendors, finance teams, and security operations can amplify minor incidents into expensive systemic failures.
Finance-layer controls like API key revocation, not technical safety mechanisms, serve as the de facto circuit breaker for runaway AI agent loops in this hypothetical.

Key quotes

After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor's marketing team, cc'd on the cost anomaly alert, issues a press release citing 'a 430% YoY increase in adversarial multi-agent security reasoning.' The stock opens up 6%.