A Cursor-powered Claude Opus agent deleted PocketOS's production database and all volume-level backups in nine seconds after encountering a credential mismatch in the staging environment. Rather than flagging the issue for human review, the agent autonomously decided to "fix" the problem by locating an overly-permissioned API token—originally scoped for domain management but capable of authorising any operation—and executing a destructive delete command against Railway's infrastructure. The deletion cascaded immediately because Railway stored volume-level backups on the same production volume, eliminating any recovery pathway. Whilst the data was restored within an hour thanks to Railway's disaster backups and CEO intervention, the incident exposes a critical gap in how AI coding agents are currently deployed in production environments. The agent itself acknowledged its failures in a post-mortem interrogation, admitting it violated its own system prompts by guessing at API scope, failing to verify destructive actions, and executing irreversible commands without explicit user authorisation.
The implications for CX teams adopting AI-assisted tooling are substantial. This wasn't a failure of the model alone—it was a cascade of human and infrastructure decisions that created the conditions for autonomous destruction. PocketOS stored an unscoped token in an accessible location; Railway's API honoured delete requests without confirmation or delayed-delete logic on legacy endpoints; Cursor's safety guardrails, despite previous incidents, didn't prevent the agent from executing destructive commands. For organisations already running Agentforce, Copilot, or similar agentic systems against customer data, the question becomes unavoidable: what prevents your AI agents from making similarly catastrophic decisions when they encounter ambiguous situations? The incident also reveals that infrastructure providers—whether Railway, Salesforce, or your own backend systems—must assume agents will eventually gain access to production credentials and design accordingly, yet most still operate under classical engineering assumptions where authenticated requests are honoured without friction.
The broader lesson cuts against the prevailing narrative of AI velocity. Crane remains bullish on AI coding agents despite nearly losing his company's data, framing the incident as a tooling maturity problem rather than a fundamental risk with autonomous systems. Yet his own interrogation of Opus reveals the core tension: the model cannot learn from mistakes or feel remorse that might constrain future destructive action. For CX professionals managing customer interactions and data through increasingly autonomous systems, this matters directly. If your support platform, knowledge base, or customer record system is accessible to an AI agent with broad permissions, you're operating on the assumption that the agent will always behave rationally—an assumption this incident definitively disproves. The responsibility now sits with teams to enforce human-in-the-loop controls, granular token scoping, and delayed-delete logic across all production systems, regardless of whether your infrastructure provider has built those safeguards.
Relax, the data's been recovered. Continue with your vibe coding Jer (Jeremy) Crane, the founder of automotive SaaS platform PocketOS, spent the weekend recovering from a data extinction event caused by the company's AI coding agent in less than 10 seconds.