Incident CVE-2026-LGTM

Posted by mooreds 5 hours ago

Incident CVE-2026-LGTM(nesbitt.io)

400 points | 71 comments

nickcw 3 hours ago|

That is very very funny, and oh so plausible.

I enjoyed this bit a lot from the timeline

> Karen Oyelaran finds the payload by reading the source code with her eyes and files a second issue. The triage assistant closes it as “duplicate of #8814.” Issue #8814 is a feature request for dark mode. Karen reopens it. The assistant closes it. Karen reopens it. Karen’s GitHub account is rate-limited for “patterns consistent with automated behaviour.”

And this - the final sentence is a perfect indictment of the timeline we are in.

> Two AI review agents from competing vendors, both attached to a downstream pull request bumping foxhole-lz4, enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor’s marketing team, cc’d on the cost anomaly alert, issues a press release citing “a 430% YoY increase in adversarial multi-agent security reasoning.” The stock opens up 6%.

I'm joining the goat farming waitlist ;-)

pkoiralap 2 hours ago||

Justice to Karen

> We would like to thank:

> Karen Oyelaran, who found the issue on Day 1 and is currently appealing her GitHub rate limit via a web form that is also AI-triaged

quijoteuniv 1 hour ago||

It was funnier when i ask Ai what this was. The ai told me it was a satire about Ai, then i got it, funny.

Octoth0rpe 3 hours ago||

The entire post is great, but the acknowledgements section is particularly excellent:

> Kubernetes (the dog), who was not involved in this incident but whose photo in the #incident-response channel was auto-tagged by the Slack image classifier as “container orchestration diagram (confidence: 0.31)”

eddd-ddde 1 hour ago|

My favorite:

> This report was reviewed by Legal, who have asked us to clarify that the fox was depicted as over eighteen.

bilekas 4 hours ago||

> Duration: 96 hours (billable: 2.1 trillion tokens)

Now there's a metric that would make my boss nervous.

> Total inference spend across all parties during the incident window was $1.7M, which Marketing has asked us to start describing as “a record investment in autonomous customer assurance.”

This is too funny.

mawadev 3 hours ago|

I think at some point we need a different or split up currency/economy, because these values make no sense. Just consider how this inference cost 1.062.500 tomatoes ($1.6) in the physical world.

XorNot 2 hours ago||

Except it sort of does? You're paying for the food and shelter of the people engaged in all the manual labor in the supply chain which produces the electricity, for example.

Some of them likely eat tomatoes, so for that electricity you need to (indirectly) supply a certain number of tomatoes.

Which is the part about "what will human labor be worth?" that gets missed in all the AI discussion: it's the only thing the economy ultimately values.

aliasxneo 2 hours ago||

> Approximately 11% of affected hosts were still running fish as their login shell following the February incident; this had no bearing on anything but is noted here for completeness

Yeah, this one got me laughing and seems like such a heavy Claudism. The number of times I'm reading Claude's response and throwing my hands in the air like, "What the fck does that have to do with anything!?" It's the worst part of the over eagerness.

ceejayoz 2 hours ago|

One of the best CLAUDE.md improvements I've made is "don't talk like a Hacker News commenter". It seems to make a huge difference.

Yes, I recognize the irony.

SpyCoder77 2 hours ago||

I did not realize this was satire until like halfway through. That is how insane the times are becoming

sltkr 2 hours ago|

> That is how insane the times are becoming

Gee whiz what an interesting way of thinking.

https://www.smbc-comics.com/comic/aaaah

piterrro 3 hours ago||

(I know its a satire, but could be seen as an actual post mortem of the future incident) This report made me realize there's no place for humans, as it is right now, in the process of building software systems in the future. Reading this incident made me dizzy after few paragraphs because of the cognitive context overload and I lost track multiple times.

RaSoJo 3 hours ago||

I kinda felt it was satire, but then the below quote threw me off:

> one vendor’s marketing team, cc’d on the cost anomaly alert, issues a press release citing “a 430% YoY increase in adversarial multi-agent security reasoning.” The stock opens up 6%.

That happens! That is not satire. So i had to visit the comments here to be sure :)

Retr0id 2 hours ago|||

Satire does usually have a degree of truth/realism.

jibal 1 hour ago|||

You could have "visited" the satire tag at the top of the article.

unknownfuture 3 hours ago|||

You're absolutely right!

(In all seriousness it seems this is the dream of a huge number of AI pilled execs dreaming of infinite velocity at a fraction of the cost... velocity pointed where, you ask? Well stop asking or you'll be next.)

slopinthebag 1 minute ago|||

I mean, none of the software or processes in this hypothetical future actually worked. At a certain point, even the most normal of normal people will push back on shitty software when their bank deletes their account or their software controlled brakes fail...

dbliss 3 hours ago||

Great satire. The comedy of errors along the way made me realize that this could have happened also with humans instead of bots. But now it’s faster.

unknownfuture 2 hours ago||

It... really couldn't? Step 3 in this fictional chain would never happen with a HITL.

I honestly can't tell with comments like this whether folks have too much respect for AI, or to little respect for people...

falcor84 1 hour ago||

What's "step 3"? I don't see step numbering anywhere?

unknownfuture 1 hour ago||

Is... this comment also satire?

FridgeSeal 6 minutes ago||

Doesn’t look like anything to me.

xandrius 3 hours ago||

Great write-up.

Side note: interesting to see how many folks commenting did not get it being satire (even the title has LGTM). I guess it's time to rethink how sharp the HN folks truly are compared to the average non-tech person (not that I had any big assumptions myself).

I'm curious about this recipe for chevre :D

JRandomHacker42 1 hour ago||

HN has a big blind spot, in my opinion, around writing that isn't "purely technical". I've seen several cases of commenter complaining about "clickbait" for a blog post that I'd describe as "having a narrative hook and structure"

geophph 2 hours ago|||

By this point I’m not sure why everyone isn’t in “default satire” mode.

FridgeSeal 4 minutes ago||

This is usually my default position, but apparently that “gas town” article was Real and Serious and Distinctly Not Satire, and I started to feel reality fragmenting underneath me.

unknownfuture 2 hours ago|||

Cognitive surrender evidencing itself en masse? :D

jibal 1 hour ago|||

And immediately below the title are the tags "package-managers security satire ai"

mlyle 2 hours ago||

I read it and saw LGTM and URL and was like "probably satire" but could not rule out it being real until like 30% in.

It's like a modern version of Poe's law.

jibal 1 hour ago||

Just below the title are the tags "package-managers security satire ai"

Procrastes 3 hours ago||

I actually know a goat rancher who is working to require ag impact studies for data centers in Texas. Sounds like I should give him a call while I can.

(Also CVE-2026-LGTM would be an awesome name for a Culture ship)

NooneAtAll3 3 hours ago||

previously on HN: https://news.ycombinator.com/item?id=48086082 "Incident Report: CVE-2024-YIKES"

stronglikedan 38 minutes ago|

not the same one

shawkinaw 1 hour ago|

I really enjoyed the line “The incident was resolved when the attacker’s autonomous agent read a file it shouldn’t have, which is also how the incident started.”

More comments...