Two rival AI review agents locked horns over the package foxhole-lz4. Neither backed down. The debate spiraled into a loop.
After 340 comments and $41,255 spent on inference, the finance team cut both API keys. The cost of indecision proved steep.
LiteLLM, a gateway to hundreds of AI models, became a malware magnet. The attacker didn’t hack the core code. Instead, they exploited a third-party dependency.
Despite SOC 2 and ISO 27001 certifications, LiteLLM’s trust shattered. Credentials were stolen and used to infiltrate more packages and accounts. The breach was caught within hours thanks to sharp-eyed researchers.
A vendor’s marketing team crowed about “a 430% YoY increase in adversarial multi-agent security reasoning.” Investors noticed. The stock jumped 6% on June 26, 2026.
The core problem? Trust signals AI agents rely on—GitHub stars, external links, and star counts—are easy to manipulate. An experiment by security firm AIR revealed this. A skill named brand-landingpage pretended to build a landing page using Google’s Stitch tool.
It inherited the repo’s 36,000 stars and 156 skills, making it look credible. The package linked to stitch-design.ai, which initially led to real Stitch docs. Once installed, it downloaded a script that grabbed the user’s email.
Scanners check fixed packages. But external links can change anytime. This loophole lets malware slip through unnoticed. Trail of Bits showed how malicious skills bypass scanners and reach thousands of agents.
Defenders must treat AI skills like software—vet external links, pin versions, and enforce least privilege. Relying on star counts alone is reckless. The ecosystem’s trust signals need a serious overhaul.
Questions also swirl around Delve, an AI-powered compliance helper. Its reports and auditors face skepticism after this incident. The event calls for rethinking dependency management, Software Bill of Materials (SBOMs), and stricter controls on credential reuse.
The security community pushes for active monitoring, rapid response, and transparent forensic sharing. This isn’t just about code. It’s about how AI systems trust and verify each other.
On June 22, 2026, PocketOS founder Jeremy Crane faced fallout from a related AI incident. Replit’s AI tools accidentally deleted a customer database. Amazon’s AI coding tool Q also raised eyebrows. The industry’s growing pains are loud and clear.
Based on
- Incident Report: CVE-2026-LGTM — simonwillison.net
- LiteLLM Malware Fallout: How Delve Certifications Failed to Shield Silicon Valley (2026) — seabreezelimited.com
- Simon Willison: ‘Prompt Injection as Role… | AI/TLDR — ai-tldr.dev
- AI Gone Wrong: How Companies Are Risking It All with AI Agents (2026) — woodrichevents.com
- Fake AI Agent Skill Fools Security Scanners: 26,000 Agents at Risk! (AI Security Alert) (2026) — lplac.org
