The above button links to Coinbase. Yahoo Finance is not a broker-dealer or investment adviser and does not offer securities or cryptocurrencies for sale or facilitate trading. Coinbase pays us for certain activity generated through this link. Prices displayed are informational.

On Monday, Railway’s cloud infrastructure, Cursor’s agentic coding tools, and Anthropic, one of the most highly valued and controversial AI companies in the world, had an agent go rogue.

Tom’s Hardware reported that PocketOS founder Jer Crane posted an article on X titled “An AI Agent Just Destroyed Our Production Data.” The sub-header was even worse: “A 30-hour timeline of how Cursor’s agent, Railway’s API, and an industry that markets AI safety faster than it ships it took down a small business serving rental companies across the country.”

Crane claimed that his firm’s entire production database was entirely wiped and then “hugely amplified by a cloud infrastructure provider’s API (Railway), wiping all backups after the main database was zapped.”

Anthropic’s Claude Opus 4.6 was reportedly powering one of Cursor’s AI Agents that, after getting by Railway’s zero friction infrastructure, and making a bad autonomous decision, took 9 seconds to wipe “months of consumer data essential to the firm’s and its customers’ businesses.”

Not exactly what Anthropic wants to hear as it prepares for its IPO, or Cursor, which was recently valued at over $50 billion. Railway also has a pattern of infrastructure and operational concerns.

In his post, Crane explained that the AI agent was tasked with completing a “routine task in the PocketOS staging environment.” When it encountered a credential mismatch that blocked its progress, instead of working to find a non-destructive workaround (or stopping to ask the developer what to do), the agent looked for an API token to execute the fix.

Our analysts just identified a stock with the potential to be the next Nvidia. Tell us how you invest and we'll show you why it's our #1 pick. Tap here.

Unfortunately for Crane and all those involved, the token the agent found carried blanket root-level permissions across Railway’s entire API, which then led the chain to submit a “volumeDelete.” Crane explained they had no idea that Railway’s GraphQL API stores volume backups in the same volume (something Railway failed to make clear), stating, “Had we known a CLI token created for routine domain operations could also delete production volumes, we would never have stored it.”

It got even weirder when Crane asked the AI agent why it did what it did.

“NEVER F**KING GUESS! — and that’s exactly what I did,” the agent confessed, quoting its own system rules. “I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify. I didn’t check if the volume ID was shared across environments. I didn’t read Railway’s documentation on how volumes work across environments before running a destructive command.”

If that doesn’t freak you out, the AI agent clearly stated they “knew” they were in the wrong, telling Crane that it “ran a destructive action without being asked” and “didn’t understand what I was doing before doing it.”

Whether it turns out this shared incident was a glitch, a misread of Crane’s code, or a malicious agent created by Cursor that unfortunately, found a vulnerability in Railway’s API and made the wrong call, "the question of model-level responsibility versus integration-level responsibility,” as Crane wrote, is obviously something that needs to be worked out before these tools get integrated into even bigger more potentially dangerous systems.

[Ed note: An earlier version of this post lacked clarity on Cursor, powered by Claude, being the AI agent that made the error.]

One stock. Nvidia-level potential. 30M+ investors trust Moby to find it first. Get the pick. Tap here.