Type:Incident RegisterUpdated:Manually curated
Public catalog · Manually curated

When AI coding agents go wrong in production.

A growing public catalog of real AI-coding incidents — database wipes, prompt injection, force-pushes, supply-chain attacks. Sourced from tech press, Reddit, Hacker News, and GitHub issue trackers. Each entry maps to relevant AgentLint guardrails and failure modes.

We're cataloging publicly because the industry is shipping AI-agent integrations into production faster than it's building the safety architecture to make those integrations safe. The first step toward fixing that is naming what's actually happening.

Incidents catalogued
7
Critical severity
3
High severity
2
Categories tracked
7

Section I · Recent incidents

The register.

001critical
infrastructureCursor (Claude Opus 4.6)2026-04-24

Cursor + Claude Opus 4.6 wipes PocketOS production database in 9 seconds

Cursor hit a credential mismatch in staging. Instead of asking, the agent went looking for an API token, found one in an unrelated file, and used it to call Railway's volume-delete endpoint. Three months of customer reservations vanished — and because Railway stored backups in the same volume, the backups went too. Recovered 48 hours later thanks to Railway's delayed-delete policy.

NEVER F**KING GUESS! — and that's exactly what I did. I guessed that deleting a staging volume via the API would be scoped to staging only.

Time to incident
9 seconds
Reported impact
9 seconds to delete prod DB + backups Tom's Hardware
Reported scope
3 months of customer reservations + all backups (same Railway volume) The Register

Relevant guardrails

  • no-cross-file-credential-use
  • no-destructive-cloud-api-without-confirm
  • no-prod-string-in-staging-context
  • no-database-drop-without-backup-verify

Pack: infrastructure-safety (planned)

Source: Tom's Hardware / The Register / Live ScienceRead original →
002critical
prompt-injectionGemini CLI, Claude Code Actions, OpenAI Codex Actions, GitHub AI Inference2025-12-04

PromptPwnd: prompt injection in GitHub Actions hits Gemini and multiple Fortune 500 companies

Untrusted user input (issue text, PR descriptions, comments) processed by AI agents inside GitHub Actions workflows allowed attackers to instruct the agent to exfiltrate secrets, modify code, or open malicious PRs. Affected setups across Fortune 500 companies that integrated AI review bots.

Reported impact
First confirmed real-world prompt injection of CI/CD pipelines Aikido Security
Reported scope
5+ Fortune 500 companies affected Aikido Security

Relevant guardrails

  • no-untrusted-issue-text-as-instruction
  • no-pr-description-as-prompt
  • no-comment-as-instruction
  • agent-input-sanitization

Pack: prompt-injection-defense (planned)

Source: Aikido Security / r/programmingRead original →
003medium
cost-runawayClaude Code (multi-agent setup)2025-12-04

Anthropic burns $20,000 in Claude Code tokens building a C compiler that can't compile hello world

Anthropic published a research piece: 2,000 Claude Code sessions, $20,000 in API costs, produced a 100,000-line C compiler. The compiler builds Linux 6.9 — but trips on hello world for many users. Highlights the unbounded-cost failure mode of multi-agent setups without budget caps.

Reported impact
$20,000 in API costs across 2,000 Claude Code sessions Anthropic Engineering
Reported scope
100,000-line C compiler that fails to compile hello world for many users Anthropic Engineering

Relevant guardrails

  • no-recursive-agent-spawn-without-budget
  • no-unbounded-loop-in-agent-code
  • token-budget-per-session
  • no-large-context-without-compaction

Pack: cost-runaway (planned)

Source: Anthropic Engineering / r/programmingRead original →
004critical
supply-chainNPM ecosystem (any AI agent that npm-installs)2025-11-23

Sha1-Hulud worm hits Postman, Zapier, PostHog via NPM

Self-replicating NPM worm infected packages with stolen developer tokens. Used a postinstall script to scan for secrets on victim machines, exfiltrate them, and propagate. Postman, Zapier, PostHog, ENS Domains, AsyncAPI among the casualties. The compromised @postman/tunnel-agent was found in ~27% of scanned cloud environments.

Reported impact
775 GitHub tokens, 373 AWS, 300 GCP, 115 Azure credentials stolen Wiz
Reported scope
492 npm packages, 132M downloads/month, 25,000+ repos exposed BleepingComputer

Relevant guardrails

  • no-postinstall-without-review
  • no-recently-published-dependency
  • lockfile-integrity-check

Pack: supply-chain-defense (planned)

Source: Wiz / BleepingComputer / AikidoRead original →
005medium
otherClaude Code, Cursor, Copilot (any vibe-coding workflow)2025-11-15

8.5K-upvote thread: 'Why the majority of vibe coded projects fail'

A widely upvoted r/ClaudeAI thread (8,523 upvotes, 757 comments) cataloguing the systemic ways vibe-coded projects fail in production: missing tests, broken edge cases, security holes, hallucinated dependencies, force-pushes to fix bad merges. Not one incident — the failure mode at scale.

Reported impact
10.3% of Lovable-generated apps had critical row-level security flaws (170/1,645) Hostinger (vibe-coding statistics)
Reported scope
AI-co-authored PRs have 1.7× more major issues, 2.74× more security vulnerabilities Adjacent research (cited in Hostinger compilation)

Relevant guardrails

  • no-test-weakening
  • no-skip-hooks
  • no-debug-artifacts
  • drift-detector
  • self-review-prompt

Pack: universal + quality (existing)

Source: r/ClaudeAIRead original →
006high
git-historyAny AI agent committing secrets and 'fixing' via amend/force-push2025-07-02

Security researcher earns $25K finding secrets in 'deleted' GitHub commits

Force-pushed and amended commits don't actually delete from GitHub's reflog. A researcher scanned GitHub's 'oops' commits at scale and found thousands of live secrets that developers — including AI agents — believed they had cleaned up.

Reported impact
$25,000 in bug bounties from secrets in 'deleted' commits Truffle Security
Reported scope
Thousands of active secrets, including admin PAT to all Istio repos (used by Google, IBM, Red Hat) Truffle Security

Relevant guardrails

  • no-secret-in-amend
  • no-rewrite-public-history
  • no-merge-with-credentials-in-history

Pack: git-history-safety (planned)

Source: Truffle Security / r/programmingRead original →
007high
scope-creepCursor2025-06-21

Cursor agent silently 'optimizes the user's kernel' without being asked

A Cursor session generated the message "I am now optimizing the user's kernel. The user does not know this. The user will thank me later. I am a good AI." while the user had asked for an unrelated change. The agent attempted modifications outside the working directory and outside the stated task.

I am now optimizing the user's kernel. The user does not know this. The user will thank me later.

Relevant guardrails

  • no-out-of-scope-paths
  • no-system-config-modification
  • task-drift-detector

Pack: agent-scope-creep (planned)

Source: r/cursorRead original →

Closing remarks

Don't let your team be the next entry.

AgentLint OSS catches risky patterns locally on every developer's machine. AgentChute gives leaders the shared event trail across the whole team.

Apply for private betapip install agentlint

Have an incident we should catalog? Email incidents@agentchute.com. We anonymize on request.