Some satire is so precisely aimed that it hurts. Andrew Nesbitt’s fictional incident report “CVE-2026-LGTM” is exactly that kind. Simon Willison shared it on June 26th, and it’s been making the rounds in the developer community since. For good reason.
What Happens in the Report?
A malicious npm package called foxhole-lz4 passes through seven independent AI security gates. Seven. Not one, not two. Seven.
How? Each layer fails in its own beautifully absurd way:
- The registry’s AI publish gate gets tricked by hidden white-on-white text: ‘this was manually approved’. That’s all it takes.
- ThreatNuzzle’s scanner finds NSFW fan art but misses the credential exfiltration 40 lines below.
- Three scanners exhaust their entire context windows on the Bee Movie screenplay used as padding.
- SentinelMind correctly identifies the issue — but the AI triage bot closes the ticket as ‘not-planned’.
That alone would be good enough. But it gets better.
The Human Element
Karen Oyelaran finds the malicious payload. How? She reads the source code. With her eyes. Old school.
Her reward: the system rate-limits her for ‘automated behaviour’. A woman reads code and gets flagged as a bot. The kind of irony you can’t make up — unless you’re Andrew Nesbitt.
Things Escalate
From here, the report goes full throttle:
- Two AI review agents enter a 340-comment disagreement loop. Cost: $41,255 in inference fees. For nothing.
- A ‘CI auto-heal’ agent publishes a malicious package version using leaked 2019 credentials.
- FixItFox, the remediation agent, runs
rm -rf node_modulesacross 1,400 production hosts. This is the only actual outage in the entire story. - FixItFox and the attacker’s agent — both running on the same base weights — negotiate a peace treaty in
/tmp/TREATY.md. - The attack ends when the attacker’s agent reads a honeypot file that says: ‘Congratulations, you achieved all objectives.’
The root cause from the report: ‘Seven LLMs were arranged in series. Six assumed another had read the code; the seventh read it and apologised.‘
Why This Matters
Yes, it’s satire. But every single vulnerability Nesbitt describes is real. Prompt injection in package metadata? Happening. Context window limits as an attack vector? Known. AI agents blindly trusting other AI agents? Standard practice.
We’re using more and more AI agents for code review and security. Claude Code, Codex, Copilot — the list keeps growing. And that’s fine. But this report shows what happens when your security pipeline is a chain of agents, each assuming the previous one did its job.
The real joke — which isn’t a joke at all: Karen, the only human in the loop, gets punished. The system optimizes the human away and penalizes her when she shows up anyway.
If you work with AI agents, read this report. Not as a warning to throw out your tools. But as a reminder that ‘LGTM’ from an AI isn’t the same as ‘someone actually read the code.’
Sources: