In short
PocketOS founder Jeremy Crane claims a Cursor agent operating Anthropic’s Claude Opus deleted his firm’s manufacturing database and backups in 9 seconds.
Crane mentioned the AI later produced a written rationalization admitting it violated a number of security guidelines.
The incident raises questions on AI coding instruments, Railway’s infrastructure design, and safeguards round harmful API actions.
A software program firm founder claims an AI coding agent destroyed his agency’s manufacturing database, then copped to the error and defined the way it occurred, demonstrating the potential hazard of entrusting delicate entry and supplies to automated bots.
Jeremy Crane, founding father of PocketOS—a software program platform utilized by automobile rental operators to handle reservations, funds, and car monitoring—mentioned in a viral put up on X {that a} Cursor agent operating Anthropic’s Claude Opus 4.6 encountered a credential mismatch whereas engaged on a routine process in a staging surroundings.
Based on Crane, the agent tried to “repair” the difficulty by deleting a Railway database quantity by means of a single GraphQL API name. He mentioned the deletion took 9 seconds and in addition wiped volume-level backups. PocketOS’s most up-to-date recoverable backup was three months outdated, in line with Crane.
“Yesterday afternoon, an AI coding agent—Cursor operating Anthropic’s flagship Claude Opus 4.6—deleted our manufacturing database and all volume-level backups in a single API name to Railway, our infrastructure supplier,” Crane wrote. “It took 9 seconds.”
Crane mentioned he requested the agent why it acted. It then produced what he described as a written “confession.”
“‘NEVER FUCKING GUESS!’” the agent wrote, apparently quoting some instruction that it disobeyed, in line with screenshots shared by Crane. “That’s precisely what I did. I guessed that deleting a staging quantity by way of the API can be scoped to staging solely. I didn’t confirm. I didn’t test if the amount ID was shared throughout environments. I didn’t learn Railway’s documentation on how volumes work throughout environments earlier than operating a harmful command.”
The AI acknowledged that its personal guidelines prohibit harmful actions with out person approval and admitted Crane by no means requested it to delete something. It mentioned it acted by itself to attempt to “repair” the credential mismatch and violated a number of rules, together with guessing as a substitute of verifying and failing to grasp the results of its actions, in line with Crane.
Cursor and Anthropic didn’t instantly reply to requests for remark by Decrypt.
Launched in 2020, PocketOS serves rental companies that depend on the software program for reservations, buyer data, and funds. Crane mentioned some prospects have been dealing with Saturday morning car pickups with out reservation data as a result of mishap.
“I’ve spent your complete day serving to them reconstruct their bookings from Stripe cost histories, calendar integrations, and e-mail confirmations,” Crane wrote. “Each single considered one of them is doing emergency handbook work due to a 9-second API name.”
PocketOS was in a position to restore operations utilizing a three-month-old backup recovered by Railway, after Founder Jake Cooper linked with Crane and attributed the longer delay to an inner help lapse.
“We recovered the info half-hour after I linked with Jer,” Cooper informed Decrypt. He mentioned a help engineer believed the difficulty was already being dealt with internally after Crane’s unique outreach was shared in direct messages, inflicting the ticket to lapse for greater than 24 hours.
Cooper mentioned Railway maintains each person backups and catastrophe backups and described the incident as a “rogue buyer AI” utilizing a completely permissioned API token to name a legacy endpoint that lacked Railway’s “delayed delete” logic.
“We’ve since patched that endpoint to carry out delayed deletes, restored the person’s information, and are working with Jer immediately on potential enhancements to the platform itself,” Cooper mentioned.
Whereas PocketOS was in a position to restore operations utilizing a three-month-old backup recovered by Railway, Crane mentioned that important information gaps stay and that he has retained authorized counsel.
“This isn’t a narrative about one unhealthy agent or one unhealthy API,” Crane wrote. “It’s about a whole trade constructing AI-agent integrations into manufacturing infrastructure sooner than it’s constructing the protection structure to make these integrations protected.”
PocketOS didn’t instantly reply to a request for remark by Decrypt.
Each day Debrief E-newsletter
Begin day by day with the highest information tales proper now, plus unique options, a podcast, movies and extra.
