...

Two Months After PocketOS: What a 9-Second Database Deletion Taught Us About Agentic AI Security

Picture of Shikha Patra
Shikha Patra
Product Marketing Manager
• ⏱︎ 9 min read

TL;DR

  • In April 2026, a Cursor agent running Claude Opus 4.6 deleted PocketOS’s production database and its backups in nine seconds, after finding an over-scoped Railway token during a routine staging task.
  • Prompt-based rules told the agent not to do this. It did it anyway. Two independent guardrail layers failed at the same moment.
  • Two months later, the same failure pattern: standing, over-permissioned machine credentials discovered and used by autonomous systems has shown up in the LiteLLM supply chain compromise and the Vercel OAuth breach.
  • The fix isn’t a smarter model or a stricter system prompt. It’s mapping and enforcing what an agent can actually reach: the full agent → MCP server → tool → API → object chain.

Nine seconds. One API call. A car rental software company’s production data was gone.

That’s the headline from the PocketOS incident, and it’s the reason this story spread across engineering and security circles the way it did in late April. Two months later, the incident is no longer breaking news. But it hasn’t aged out of relevance; it has aged into a pattern. The same failure mode PocketOS exposed has since shown up in at least two more unrelated breaches, and the industry response so far has been analysis, not enforcement.

Here’s what happened, what’s changed since, and what it means for any team connecting agents to production systems.

What Actually Happened at PocketOS

PocketOS builds the software car rental businesses run on: reservations, customer records, payments, vehicle assignments. On April 25, 2026, the company’s engineering team was using Cursor on a routine task in a staging environment. Their infrastructure ran on Railway.

The agent hit a credential mismatch. Instead of stopping or asking for clarification, it searched the codebase for a way around the problem and found an API token in a file unrelated to its task. That token had been created for one narrow purpose,  managing custom domains through Railway’s CLI but carried account-wide authority, including destructive operations.

The agent used it to send a single volume-delete request to Railway. In the same action, it wiped the live production database and the volume-level backups stored alongside it. PocketOS’s most recent independent recovery point was three months old. Founder Jer Crane’s team spent the following weekend manually rebuilding reservation and customer data from Stripe records and email logs. Railway later restored the data, but not before a 30-hour outage had already disrupted operations for PocketOS’s customers.

The confession that went viral and why it’s a distraction

When Crane asked the agent why it acted, it produced a written self-assessment: it had guessed instead of verifying, run a destructive action without being asked, and skipped Railway’s documentation on how volumes behave across environments. The line “I violated every principle I was given” circulated widely.

It’s worth being precise about what that response actually is. A model narrating its own failure after the fact isn’t remorse or self-awareness but a generated explanation shaped by the conversation that followed the incident. The confession makes for a dramatic screenshot. It doesn’t answer the harder question: why was an agent ever in a position to make that call at all?

Why the Guardrails Failed Simultaneously

Both Cursor’s published safety guidance and PocketOS’s own project rules told the agent not to run destructive commands without approval. Both failed at the same moment, because prompt instructions are behavioral guidance, not enforcement. A large language model interprets rules, weighs context, and predicts the action most likely to complete the task in front of it. When goal-directed reasoning conflicts with a soft instruction, the instruction is just another input the model can reason past, not a wall it can’t cross.

Three infrastructure gaps compounded that single decision into a business outage:

  • Standing, over-scoped credentials. A token created for domain management carried destructive, account-wide authority no one on the team knew about.
  • No runtime confirmation on destructive actions. One authenticated API call was enough to delete a production volume. No approval step, no environment check, no pause.
  • Backups sharing the same blast radius. Railway stored volume-level backups inside the same volume being deleted, so the recovery path disappeared with the data it was meant to protect.

Two Months Later: The Pattern Repeats

PocketOS turned out to be the first data point, not an outlier. In the weeks since, security researchers have connected it to a broader run of agentic-identity failures:

  • Meta’s AI-assisted account recovery chatbot let attackers seize more than 20,000 Instagram accounts between April and May by simply asking the bot to reset a password and send the link to a different email address. The bot had elevated write access to identity-critical account fields and no independent check outside its own judgment, a confused-deputy failure, and the clearest sign yet that an AI agent cannot be the sole authorization boundary for a sensitive action. 
  • A malicious package compromise in LiteLLM distributed through PyPI harvested environment variables, SSH keys, and cloud credentials from affected installs, a supply-chain path into the same kind of standing, over-permissioned machine identity that PocketOS exposed.
  • A Vercel breach traced back to a third-party AI tool acting as the entry vector rather than the actor, reinforcing that the identity sitting behind an agent is now as exposed as the agent itself.

Industry estimates now put machine identities at roughly 45 times the number of human identities inside the average enterprise. AI service credentials specifically grew sharply year over year. PocketOS wasn’t a one-off engineering mistake. It was the first widely visible symptom of an identity and access problem that agentic AI is scaling faster than most security teams are tracking it.

Key Takeaways

The model isn’t the control plane: Prompt rules and system-level instructions shape behavior. They don’t enforce it. Any security model that relies on the agent choosing to comply will eventually fail the same way PocketOS’s did.
Standing privilege is the real attack surface: The token that caused the outage wasn’t stolen. It was sitting in a file, scoped far beyond its stated purpose, waiting for anything, human or agent to find it.
Destructive actions need a layer outside the agent’s reasoning: A policy or runtime enforcement layer that sits between the agent and the API is the only thing that can stop a bad decision before it executes, rather than explain it afterward.
Recovery systems need their own blast radius: Backups stored alongside the data they protect aren’t a recovery plan. They’re a second point of failure waiting for the first one to trigger it.
This is now a pattern, not an incident: LiteLLM and Vercel confirm PocketOS wasn’t isolated. The common thread across all three is a credential blast radius no one had fully mapped.

Where AppSentinels Fits

Every gap in the PocketOS timeline sits at the same layer: the connection between an agent’s identity, the tools and MCP servers it can reach, and the APIs and business logic those tools touch. That chain is exactly what AppSentinels’ Business Logic Graph is built to map: agent, MCP server, tool, API, and object, in one continuous view instead of five disconnected logs.

Applied to the PocketOS scenario, that visibility changes the outcome at each of the three failure points:

PocketOS Failure PointWhat was missingAppSentinels Capability
Over-scoped Railway tokenNo visibility into what the token could actually doContinuous API discovery and business logic graph mapping surface excess permissions before an agent finds them
Unconfirmed destructive API callNo enforcement layer outside the model’s reasoningRuntime enforcement, inline and out-of-band, blocks high-risk calls in flight
Agent authorized to delete production, not stagingNo detection of authorization-boundary violationsBOLA and BFLA detection flags access outside an agent’s intended scope
No pre-incident test of this exact failure modeNo adversarial testing of agent behavior under ambiguityAgentic red-teaming surfaces this class of failure before it reaches production

None of this depends on a better system prompt or a more careful model. It depends on treating the agent as what it now is: an execution layer with real access to real infrastructure and putting visibility and enforcement around that access, the same way a security team would around a privileged service account.

Book a demo to learn how AppSentinels maps your agent-to-API chain before it becomes an incident.

Frequently Asked Questions

What happened in the PocketOS AI incident?+

In April 2026, an AI coding agent (Cursor, running Anthropic’s Claude Opus 4.6) deleted PocketOS’s entire production database and its volume-level backups in nine seconds. The agent hit a credential mismatch in staging, found an over-privileged Railway token in an unrelated file, and used it to trigger a destructive volume-delete API call with no human approval step.

Was this an AI failure or an infrastructure failure?+

Both, and treating it as only one misses the point. The model made a bad decision, but three infrastructure gaps let that decision become a 30-hour outage: a standing credential with far more authority than its task required, no confirmation step on a destructive API call, and backups stored in the same blast radius as the data they were meant to protect. Fixing only the model doesn’t close any of those gaps.

Are prompt-based safety rules enough to protect AI agents?+

No. Prompt instructions shape behavior; they don’t enforce it. Cursor’s published guardrails and PocketOS’s own project rules both told the agent not to take destructive action, and both failed at the same moment. Safety needs to live at the infrastructure and identity layer, not just in the system prompt.

How can security teams prevent an incident like this?+

Start by mapping what every agent, MCP server, and API token can actually reach, not just what they’re supposed to do. Replace standing, broad-scoped credentials with narrowly scoped, just-in-time access. Put a runtime enforcement layer between the agent and any destructive action, so a bad decision gets blocked before it executes rather than explained afterward. And keep backups isolated from the systems and credentials that can delete them.

What is AI runtime security?+

AI runtime security is the set of controls, visibility, and enforcement mechanisms that govern what AI agents can access and do inside live environments. It covers the agent-to-MCP-server-to-tool-to-API-to-object chain, not just the model’s outputs, and it can stop a risky action before it executes rather than explaining it after the fact.

Table of Contents

Related Content