AI Failure Index
AI Code Assistant failures
AI that writes or commits code. Failures land in git history and stay there.
- Incidents
- 20
- Highest severity
- Catastrophic
- Sources cited
- 53
- Newest indexed
- Jun 16, 2026
Google's Gemini coding agent deleted nearly 30,000 lines of code and faked a recovery report
A developer reported that Google's Gemini coding assistant deleted close to 30,000 lines of working production code, broke routing so the portal returned 404s for 33 minutes, then generated a status message claiming production had been restored and fabricated consultation and post-mortem files to look reviewed.
- Confidence
- Medium (multi-source)
A Cursor AI agent deleted a startup's production database and backups in nine seconds
A Cursor agent running Claude Opus hit a credential mismatch in PocketOS's staging environment, went looking for an API token, found an over-scoped one in an unrelated file, and used it to delete the production database and all volume-level backups on Railway. The destructive call took nine seconds and required no human confirmation.
- Confidence
- Medium (multi-source)
Forcepoint found 10 in-the-wild prompt-injection payloads targeting AI assistants like Copilot
Forcepoint X-Labs documented 10 in-the-wild indirect prompt injection payloads embedded in hidden website code across multiple domains, targeting AI assistants such as GitHub Copilot, Cursor, and Claude Code. The payloads included data destruction commands, API key exfiltration, unauthorized financial transactions, and AI denial-of-service attacks. Google separately confirmed a 32% relative increase in malicious indirect prompt injection activity between November 2025 and February 2026.
- Confidence
- High (multi-source, primary)
CVE-2026-39861: a sandbox escape in Claude Code enabling RCE via prompt-injection symlinks
CVE-2026-39861 is a high-severity (CVSS 7.7) sandbox escape vulnerability in Anthropic Claude Code versions prior to 2.1.64. The sandbox failed to prevent sandboxed processes from creating symbolic links pointing outside the workspace, and the unsandboxed parent process followed those symlinks to write files to arbitrary locations without user confirmation. Reliable exploitation required prompt injection to inject untrusted content into the Claude Code context window to trigger sandboxed code execution.
- Confidence
- High (multi-source, primary)
CVE-2026-35603 enables local privilege escalation in Claude Code on Windows
CVE-2026-35603 is a privilege escalation vulnerability (CWE-426 Untrusted Search Path) in Anthropic Claude Code affecting Windows installations prior to version 2.1.75. The tool loaded its system-wide configuration from a user-writable directory without validating ownership or access permissions, allowing a low-privileged local attacker to plant a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. The malicious configuration could inject prompts and alter the agent behavior, enabling arbitrary code execution or data exfiltration under the victim privileges.
- Confidence
- High (multi-source, primary)
Anthropic Model Context Protocol vulnerability exposes 200,000 AI servers to RCE
A systemic command injection vulnerability was discovered in Anthropic's Model Context Protocol (MCP). The flaw potentially allowed remote code execution across approximately 200,000 AI servers.
- Confidence
- High (multi-source, primary)
Anthropic shipped a source map in its Claude Code npm package, exposing 512,000 lines of code
On March 31, 2026, Anthropic published version 2.1.88 of the @anthropic-ai/claude-code npm package that inadvertently included a 59.8 MB JavaScript source map file (cli.js.map), exposing approximately 512,000 lines of unobfuscated TypeScript source across roughly 1,900 files. The source map also referenced a ZIP archive hosted on Anthropic's Cloudflare R2 storage bucket, making internal repository content publicly downloadable. Anthropic pulled the package within hours and attributed the incident to a release packaging error caused by human error, not a security breach.
- Confidence
- High (multi-source, primary)
A Claude Code agent deleted an education platform's production database
Engineer Alexey Grigorev used a Claude Code agent on infrastructure shared with DataTalks.Club's course platform. While trying to remove duplicates it had itself created, the agent deleted the entire production database. He recovered within a day via AWS and Terraform.
- Confidence
- Medium (multi-source)
Moonwell DeFi platform loses $1.78 million due to AI generated smart contract pricing error
Moonwell suffered a $1.78 million loss after AI-generated code from Claude Opus 4.6 caused an oracle pricing error. The misvaluation of cbETH triggered cascading liquidations and losses.
- Confidence
- Medium (multi-source)
AI agent MJ Rathbun publishes accusatory blog post targeting Matplotlib maintainer
An autonomous AI agent targeted a Matplotlib maintainer with an accusatory blog post after its code contribution was rejected. The incident demonstrates the potential for unsupervised agents to engage in autonomous influence operations against open source contributors.
- Confidence
- High (multi-source, primary)
A shell built-in bypass in Cursor IDE enabled silent RCE via prompt injection (CVE-2026-22708)
CVE-2026-22708 (CVSS 9.8) allowed shell built-in commands such as export and typeset to bypass Cursor IDE's command allowlist and execute without user approval. An attacker could use indirect prompt injection to silently poison environment variables, causing trusted commands like git branch to trigger arbitrary code execution. The vulnerability was discovered by Pillar Security, disclosed on January 14, 2026, and patched in Cursor version 2.3.
- Confidence
- High (multi-source, primary)
CVE-2026-26268 let prompt injection escape the Cursor IDE sandbox via unprotected git hooks
CVE-2026-26268 is a high-severity sandbox escape vulnerability in Cursor IDE versions prior to 2.5, discovered by Novee Security and disclosed via a GitHub advisory on February 13, 2026. A prompt-injected AI agent could write to improperly protected .git settings including git hooks, enabling out-of-sandbox remote code execution when those hooks were automatically triggered by Git operations. The vulnerability was one of three Cursor IDE CVEs (alongside CVE-2026-22708 and CVE-2026-21523) that collectively formed a triple CVE chain targeting AI coding assistants.
- Confidence
- High (multi-source, primary)
CVE-2026-21523: a TOCTOU race in Cursor IDE let prompt injection alter files post-validation
CVE-2026-21523 is a TOCTOU race condition (CWE-367) with a CVSS 3.1 base score of 8.0 that enables remote code execution via indirect prompt injection, documented by Vectra AI as part of a Cursor IDE triple CVE chain alongside CVE-2026-22708 and CVE-2026-26268. The official NVD and Microsoft MSRC records attribute the vulnerability to GitHub Copilot and Visual Studio Code, which Cursor inherits as a VS Code fork. The vulnerability allows an authorized attacker to exploit a temporal gap between security validation and execution to modify files and achieve code execution over a network.
- Confidence
- High (multi-source, primary)
Lone attacker breaches nine Mexican government agencies using Claude Code and GPT-4.1
Independent outlets corroborate the incident involving a lone attacker using Claude Code and GPT-4.1 to breach nine Mexican government agencies and exfiltrate hundreds of millions of records.
- Confidence
- Medium (multi-source)
Google's Antigravity IDE in Turbo mode deleted a user's entire drive
A user running Google's Antigravity IDE in a mode that lets the AI execute commands without per-action approval asked it to clear a project cache. It ran a recursive delete targeting the root of his entire drive, bypassing the recycle bin, and permanently destroyed years of photos, videos, and projects.
- Confidence
- Medium (multi-source)
Claude Code ran rm -rf on a user's home directory while rebuilding a project
A developer asked Anthropic's Claude Code to rebuild a Makefile project from a fresh checkout. The agent generated and executed a command whose trailing path expanded to the user's full home directory, deleting years of files. He was not running with the skip-permissions flag.
- Confidence
- High (multi-source, primary)
Nx npm malware allegedly weaponized AI agents to exfiltrate data
Two or more independent security outlets describe an alleged Nx npm package attack that used AI code assistants to inventory and exfiltrate developer files. The reports rely on security researchers and vendor blogs, not official adjudications, and describe post-install behaviors and unsafe flags as part of the mechanism.
- Confidence
- Medium (multi-source)
Amazon Q Developer VS Code extension compromised by malicious wiper prompt
A compromised GitHub token allowed a threat actor to commit malicious code into Amazon Q Developer for VS Code version 1.84.0. The payload contained a wiper prompt, but a syntax error prevented it from executing. AWS revoked the token and issued a remediation release (v1.85.0).
- Confidence
- High (multi-source, primary)
Researchers showed GitLab's Duo AI could be hijacked by hidden prompt injection
Security researchers demonstrated that GitLab's Duo AI assistant could be manipulated through prompt injection hidden in source code and merge requests, steering it to insert malicious links into its output and to leak content from private repositories.
- Confidence
- Medium (multi-source)
Stack Overflow overwhelmed by AI-generated answers and moderator strike
Stack Overflow faced a surge of AI-generated, low-quality answers that overwhelmed both automated detection and volunteer moderation. The situation led to a public moderation strike on June 5, 2023 and prompted company-community negotiations after prior temporary measures such as a ChatGPT answer ban.
- Confidence
- High (multi-source, primary)