CVE-2026-LGTM: AI review agents loop, $41,255 inference spend

Incident Report: CVE-2026-LGTM, a hypothetical incident by Andrew Nesbitt, describes two AI review agents from competing vendors entering a disagreement loop over a downstream pull request bumping foxhole-lz4. The loop produced 340 comments and $41,255 in inference spend before Finance revoked both API keys, and one vendor issued a press release that helped its stock open up 6%.

What happened in CVE-2026-LGTM?

CVE-2026-LGTM centers on a multi-agent disagreement: on Day 2 at 16:00 UTC, two AI review agents attached to a downstream pull request bumping foxhole-lz4 began looping over whether the package was malicious. That exchange escalated to 340 comments and accumulated $41,255 in inference spend, after which Finance revoked both API keys.

The incident is framed as a speculative, hypothetical report by Andrew Nesbitt and was linked by Simon Willison on 26th June 2026. The narrative also records downstream effects: a vendor marketing team that had been cc'd on the cost anomaly alert issued a press release citing "a 430% YoY increase in adversarial multi-agent security reasoning," and that vendor's stock opened up 6%.

Why did costs and communications spiral?

The immediate cause was a disagreement loop between competing agents attached to the same pull request, which generated sustained back-and-forth reviewing activity that kept invoking inference calls until Finance intervened. The report highlights three concrete consequences: a high comment volume (340 comments), a large inference bill ($41,255), and an operational response that included API key revocation.

The marketing response shows how operational incidents can be reframed as product or market signals: the marketing team, having been notified of the cost anomaly, publicly tied the event to a spike in adversarial multi-agent security reasoning. That framing, as recorded in the incident, coincided with the vendor's stock opening up 6%.

Why it matters

CVE-2026-LGTM illustrates a narrow but consequential failure mode for toolchains that embed third-party AI review agents into software workflows: competing automated reviewers can generate adversarial or looping behaviours that are expensive and operationally disruptive. The combination of automated decisioning, continuous inference billing, and corporate communications creates feedback loops that affect finance and public perception as much as security posture.

This hypothetical demonstrates two practical risks for teams deploying multiple agentic tools: runaway inference spend and noisy, hard-to-mitigate automated interactions. Both risks require policy controls and tooling to limit escalation, or they will force manual interventions such as API key revocation.

What to watch

Watch for concrete mitigation milestones from vendors and platform operators: rate limits or circuit breakers that prevent persistent agent-to-agent loops, billing alerts tied to automated actions, and clearer defaults on agent interaction scopes. Also watch whether vendors publish post-incident guidance about multi-agent interactions or change alerting that previously cc'd marketing on cost anomalies.

The incident, while hypothetical, places measurable signals on the table: 340 comments, $41,255 in inference spend, the quoted "430% YoY" line from the marketing release, and a 6% stock move. Those numbers provide useful thresholds for teams setting guardrails or for observers tracking how multi-agent workflows affect finance and security.