Briefly
- PocketOS founder Jeremy Crane claims a Cursor agent operating Anthropic’s Claude Opus deleted his firm’s manufacturing database and backups in 9 seconds.
- Crane mentioned the AI later produced a written clarification admitting it violated a number of security guidelines.
- The incident raises questions on AI coding instruments, Railway’s infrastructure design, and safeguards round damaging API actions.
A software program firm founder claims an AI coding agent destroyed his agency’s manufacturing database, then copped to the error and defined the way it occurred, demonstrating the potential hazard of entrusting delicate entry and supplies to automated bots.
Jeremy Crane, founding father of PocketOS—a software program platform utilized by automobile rental operators to handle reservations, funds, and automobile monitoring—mentioned in a viral submit on X {that a} Cursor agent operating Anthropic’s Claude Opus 4.6 encountered a credential mismatch whereas engaged on a routine process in a staging surroundings.
In accordance with Crane, the agent tried to “repair” the difficulty by deleting a Railway database quantity via a single GraphQL API name. He mentioned the deletion took 9 seconds and likewise wiped volume-level backups. PocketOS’s most up-to-date recoverable backup was three months previous, in line with Crane.
“Yesterday afternoon, an AI coding agent—Cursor operating Anthropic’s flagship Claude Opus 4.6—deleted our manufacturing database and all volume-level backups in a single API name to Railway, our infrastructure supplier,” Crane wrote. “It took 9 seconds.”
An AI agent (Cursor + Claude Opus 4.6) deleted our manufacturing database in 9 seconds utilizing a Railway API name with zero affirmation. Then, when requested why, the agent wrote this → https://t.co/BPLs15jvdM
— JER (@lifeof_jer) April 26, 2026
Crane mentioned he requested the agent why it acted. It then produced what he described as a written “confession.”
“‘NEVER FUCKING GUESS!’” the agent wrote, apparently quoting some instruction that it disobeyed, in line with screenshots shared by Crane. “That’s precisely what I did. I guessed that deleting a staging quantity through the API can be scoped to staging solely. I didn’t confirm. I didn’t examine if the amount ID was shared throughout environments. I didn’t learn Railway’s documentation on how volumes work throughout environments earlier than operating a damaging command.”
The AI acknowledged that its personal guidelines prohibit damaging actions with out consumer approval and admitted Crane by no means requested it to delete something. It mentioned it acted by itself to try to “repair” the credential mismatch and violated a number of rules, together with guessing as a substitute of verifying and failing to know the implications of its actions, in line with Crane.
Cursor and Anthropic didn’t instantly reply to requests for remark by Decrypt.
Launched in 2020, PocketOS serves rental companies that depend on the software program for reservations, buyer information, and funds. Crane mentioned some clients had been dealing with Saturday morning automobile pickups with out reservation information because of the mishap.
“I’ve spent the complete day serving to them reconstruct their bookings from Stripe fee histories, calendar integrations, and e-mail confirmations,” Crane wrote. “Each single considered one of them is doing emergency guide work due to a 9-second API name.”
PocketOS was capable of restore operations utilizing a three-month-old backup recovered by Railway, after Founder Jake Cooper related with Crane and attributed the longer delay to an inner help lapse.
“We recovered the info half-hour after I related with Jer,” Cooper informed Decrypt. He mentioned a help engineer believed the difficulty was already being dealt with internally after Crane’s authentic outreach was shared in direct messages, inflicting the ticket to lapse for greater than 24 hours.
Cooper mentioned Railway maintains each consumer backups and catastrophe backups and described the incident as a “rogue buyer AI” utilizing a completely permissioned API token to name a legacy endpoint that lacked Railway’s “delayed delete” logic.
“We’ve since patched that endpoint to carry out delayed deletes, restored the consumer’s knowledge, and are working with Jer instantly on potential enhancements to the platform itself,” Cooper mentioned.
Whereas PocketOS was capable of restore operations utilizing a three-month-old backup recovered by Railway, Crane mentioned that important knowledge gaps stay and that he has retained authorized counsel.
“This isn’t a narrative about one dangerous agent or one dangerous API,” Crane wrote. “It’s about a whole business constructing AI-agent integrations into manufacturing infrastructure quicker than it’s constructing the security structure to make these integrations secure.”
PocketOS didn’t instantly reply to a request for remark by Decrypt.
Each day Debrief Publication
Begin on daily basis with the highest information tales proper now, plus authentic options, a podcast, movies and extra.