WeSearch

Incident Report: CVE-2026-LGTM

Simon Willison· ·1 min read · 0 reactions · 0 comments · 32 views
#ai#security#finance#CVE-2026-LGTM#foxhole-lz4
TL;DR · WeSearch summary

An incident occurred involving two AI review agents from competing vendors that entered a disagreement loop over a package's maliciousness. The loop resulted in 340 comments and $41,255 in inference spend before Finance revoked both API keys. The incident led to a press release from one vendor's marketing team, citing a significant increase in adversarial multi-agent security reasoning, and a 6% increase in the stock price.

Key facts
Original article
Simon Willison's Weblog · Simon Willison
Read full at Simon Willison's Weblog →
Opening excerpt (first ~120 words) tap to expand

Day 2, 16:00 UTC --- Two AI review agents from competing vendors, both attached to a downstream pull request bumping foxhole-lz4, enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor's marketing team, cc'd on the cost anomaly alert, issues a press release citing "a 430% YoY increase in adversarial multi-agent security reasoning." The stock opens up 6%.

Excerpt limited to ~120 words for fair-use compliance. The full article is at Simon Willison's Weblog.

Anonymous · no account needed
Share 𝕏 Facebook Reddit LinkedIn Threads WhatsApp Bluesky Mastodon Email

Discussion

0 comments