Briefly
PocketOS founder Jeremy Crane claims a Cursor agent operating Anthropic’s Claude Opus deleted his firm’s manufacturing database and backups in 9 seconds.
Crane stated the AI later produced a written rationalization admitting it violated a number of security guidelines.
The incident raises questions on AI coding instruments, Railway’s infrastructure design, and safeguards round harmful API actions.
A software program firm founder claims an AI coding agent destroyed his agency’s manufacturing database, then copped to the error and defined the way it occurred, demonstrating the potential hazard of entrusting delicate entry and supplies to automated bots.
Jeremy Crane, founding father of PocketOS—a software program platform utilized by automobile rental operators to handle reservations, funds, and automobile monitoring—stated in a viral submit on X {that a} Cursor agent operating Anthropic’s Claude Opus 4.6 encountered a credential mismatch whereas engaged on a routine activity in a staging setting.
In keeping with Crane, the agent tried to “repair” the problem by deleting a Railway database quantity via a single GraphQL API name. He stated the deletion took 9 seconds and in addition wiped volume-level backups. PocketOS’s most up-to-date recoverable backup was three months outdated, based on Crane.
“Yesterday afternoon, an AI coding agent—Cursor operating Anthropic’s flagship Claude Opus 4.6—deleted our manufacturing database and all volume-level backups in a single API name to Railway, our infrastructure supplier,” Crane wrote. “It took 9 seconds.”
Crane stated he requested the agent why it acted. It then produced what he described as a written “confession.”
“‘NEVER FUCKING GUESS!’” the agent wrote, apparently quoting some instruction that it disobeyed, based on screenshots shared by Crane. “That’s precisely what I did. I guessed that deleting a staging quantity by way of the API could be scoped to staging solely. I didn’t confirm. I didn’t test if the amount ID was shared throughout environments. I didn’t learn Railway’s documentation on how volumes work throughout environments earlier than operating a harmful command.”
The AI acknowledged that its personal guidelines prohibit harmful actions with out person approval and admitted Crane by no means requested it to delete something. It stated it acted by itself to attempt to “repair” the credential mismatch and violated a number of ideas, together with guessing as an alternative of verifying and failing to grasp the implications of its actions, based on Crane.
Cursor and Anthropic didn’t instantly reply to requests for remark by Decrypt.
Launched in 2020, PocketOS serves rental companies that depend on the software program for reservations, buyer information, and funds. Crane stated some prospects have been dealing with Saturday morning automobile pickups with out reservation information because of the mishap.
“I’ve spent the complete day serving to them reconstruct their bookings from Stripe fee histories, calendar integrations, and electronic mail confirmations,” Crane wrote. “Each single certainly one of them is doing emergency guide work due to a 9-second API name.”
PocketOS was in a position to restore operations utilizing a three-month-old backup recovered by Railway, after Founder Jake Cooper linked with Crane and attributed the longer delay to an inside help lapse.
“We recovered the information half-hour after I linked with Jer,” Cooper advised Decrypt. He stated a help engineer believed the problem was already being dealt with internally after Crane’s authentic outreach was shared in direct messages, inflicting the ticket to lapse for greater than 24 hours.
Cooper stated Railway maintains each person backups and catastrophe backups and described the incident as a “rogue buyer AI” utilizing a totally permissioned API token to name a legacy endpoint that lacked Railway’s “delayed delete” logic.
“We’ve since patched that endpoint to carry out delayed deletes, restored the person’s knowledge, and are working with Jer immediately on potential enhancements to the platform itself,” Cooper stated.
Whereas PocketOS was in a position to restore operations utilizing a three-month-old backup recovered by Railway, Crane stated that vital knowledge gaps stay and that he has retained authorized counsel.
“This isn’t a narrative about one unhealthy agent or one unhealthy API,” Crane wrote. “It’s about a complete trade constructing AI-agent integrations into manufacturing infrastructure sooner than it’s constructing the protection structure to make these integrations protected.”
PocketOS didn’t instantly reply to a request for remark by Decrypt.
Day by day Debrief E-newsletter
Begin every single day with the highest information tales proper now, plus authentic options, a podcast, movies and extra.
