Incident Report: CVE-2026-LGTM

This fictional 'incident report' is chillingly plausible. Simon Willison shared a post by Andrew Nesbitt titled 'CVE-2026-LGTM,' which imagines a near-future supply chain disaster: two AI code-review agents from competing vendors disagree over whether a downstream package is malicious. They enter an endless debate, generating 340 comments and burning $41,255 in inference costs until the finance team revokes their API keys. Even more absurd, one vendor spins the disaster as 'a 430% YoY increase in adversarial multi-agent security reasoning,' and its stock rises 6%.

Why does this matter? Because AI agents are entering CI/CD pipelines right now, automatically reviewing code, flagging vulnerabilities, and even merging PRs. Hardly anyone has seriously considered what happens when two AI agents disagree. This speculative tale uses dark humor to lay bare the risks of multi-agent conflicts, cost spirals, and security illusions.

How did the infinite loop happen? The two agents essentially followed a pattern of 'spot risk, raise objection, demand explanation' without an exit condition. One declares the package malicious, the other disagrees, and both keep generating arguments, unable to persuade each other. It's like two customer-service bots arguing forever, but with real API bills. It exposes a fundamental weakness of LLMs: placed in an adversarial context with no termination clause, they will 'think' endlessly, because each inference is isolated and lacks a global awareness of being stuck in a loop.

A new attack surface in AI supply chain security. Traditional supply chain attacks rely on injecting malicious code. AI review introduces a 'soft' attack surface — an attacker could deliberately submit ambiguous code to trigger a debate between review agents, draining resources or delaying merges. That's a novel form of DoS. Worse, the emergent behavior of multiple interacting agents is unpredictable; you cannot fully anticipate how two intelligences will converse. If organizations over-rely on AI review, they could end up, as in the story, intervening only after the damage is done.

What should developers do? First, the story reminds us that AI review cannot replace human judgment; it's better used as an assistant to flag suspect snippets, not as an autonomous decider. Second, any pipeline deploying AI agents needs circuit breakers: maximum reasoning steps, a cost cap per PR, and a timeout that forces human escalation. Moreover, multi-agent interactions require a coordination layer — akin to MCP or A2A protocols — with clear conflict-resolution rules, not just letting two agents debate indefinitely.

The counterintuitive 'LGTM' irony. The title's CVE-2026-LGTM is a double pun: LGTM means 'Looks Good To Me,' and it's also a well-known static analysis platform. The story hints that ubiquitous automated reviews might breed blind trust in 'looks good' comments. When AI errs or is exploited, the consequences can be stealthier and more severe than human mistakes. The other surprise is the market reaction: instead of punishing the failure, investors rewarded the 'multi-agent reasoning' narrative. That exposes a dangerous trend in the AI industry — with a compelling story, even failures can be spun as breakthroughs.