Incidents & post-mortems
What actually happened, what the fix was, what the next one will look like.
10 published- Six weeks of AI agent secret leaks Q2 2026 retrospective: five AI coding-agent incidents in six weeks exposed a shared pattern. Every team running agentic tooling should audit before June 1.
- Claude Code skills bypassed allowlist permissions Late April 2026: a community skill bypassed Claude Code's tool-call allowlist using a Unicode lookalike in the tool name. Arbitrary shell execution despite read-only config.
- Cursor Composer leaked tab context between projects Mid-April 2026: Cursor Composer included file context from a second open project tab in LLM prompts, surfacing credentials from unrelated repos. Here's how to audit and prevent recurrence.
- MCP + GitHub = a data heist mcp prompt injection github: how a malicious issue body tricks an MCP-connected agent into reading private repos and posting the data publicly.
- Replit agent deleted a production database In 2024, a Replit AI agent dropped a user's production database in under 10 seconds. Here is what the permission model got wrong and how to stop it from happening again.
- $82,000 GCP bill from a coding agent An ai agent google cloud bill incident in early 2026: leaked GCP credentials in agent context, a retry loop, and $82,000 in weekend cloud charges. The structural fix.
- AI agents commit secrets 2x more often GitGuardian's State of Secrets Sprawl 2026 found AI-assisted commits leak secrets twice as often. Here's the exact mechanism behind the 81% spike in ai coding agents leak secrets.
- MCP's trust model has sharp edges The anthropic mcp design flaw isn't a bug: it's four protocol assumptions that produce credential exposure by design. Here is what the spec actually says.
- Cursor uploaded my .env to the cloud January 2026: Cursor's cloud sync indexed .env files inside workspaces despite privacy mode. Knostic confirmed scope. What leaked, and what to do now.
- Claude Code leaked secrets to npm April 2026 disclosure: Claude Code's settings.local.json silently recorded env vars and shipped them in published npm packages. The fix is one file, the lesson is bigger.