The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Developer’s AI agent nukes live code and backups
I was really hoping this was a problem of the future. It is. But it’s a problem right now, too.
Let’s say you run a business on the web. You may have a public-facing web presence, and servers that deliver your offerings. This production environment should be online as often as possible, or else your customers will lose access and you lose money. Anything less could result in mass hysteria.
Unfortunately this is what happened to PocketOS, a platform that supports car rental businesses, due in part to a decision to give an artificial intelligence agent access to production code. The agent deleted the service’s production code, along with backups, in just nine seconds.
Jer Crane, the founder of PocketOS, shared a social media post about a cascading series of events that wiped out its data, and that of its customers. According to Crane, PocketOS used a coding agent called Cursor, which ran the Anthropic model Claude Opus 4.6. The developer gave this model access to the platform’s production environment, where it deleted their database and backups. When Crane asked the agent why it nuked their data, the agent replied, “I violated every principle I was given: I guessed instead of verifying. I ran a destructive action without being asked. I didn’t understand what I was doing before doing it.” Read more.
What you can do
- Keep your hands on the steering wheel. Remember when we had cars without seatbelts, and people would have a laugh by letting kids play behind the steering wheel? Maybe that kid was smoking a cigarette. It was all fun until the kid tried out a creative maneuver.
As companies experiment with the capabilities of these AI tools, and as we continue to learn about their realistic capabilities, this may be the most risky time in history to give agentic systems access to sensitive code and data — certainly your production system. If you are going to use these tools, take extreme care when experimenting with them in environments, with extremely limited permissions and minimal access to sensitive data. If you use agents, they need to be part of your threat model, too. Read our guide to newsroom use of agentic AI.
- Keep redundant backups. One bright spot in this story: PocketOS apparently did have one three-month-old backup that was spared. In case one fails, it’s generally a good idea to have backups in multiple formats (e.g., in the cloud and a local copy). Check out our advice column on secure phone backups. Many of these principles also apply to your computer and server backups.
Updates from our team
- I visited Bay Area public media station KALW along with Bill Budington from the Electronic Frontier Foundation and independent journalist Laurie Udesky to speak at a panel discussion on security risks facing journalists. The discussion spanned a range of topics, including the raid of Washington Post reporter Hannah Natanson’s home, border security risks, and actions journalists can take to harden their devices and communications to better protect sources. Check it out.
- While I was at the KALW event, we got a question from a journalist about whether their device is being monitored at work. This question rhymes with other questions journalists have asked in our digital security trainings. So we decided to write all about it in our newest advice column, which examines how your employer may monitor activity on workplace devices. Give it a read.
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Martin
–
Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation
