---
title: "Incident Report: CVE-2026-LGTM — Stuff That Spins"
description: "Incident Report: CVE-2026-LGTM Spectacular hypothetical incident report by Andrew Nesbitt. Day 2, 16:00 UTC --- Two AI review agents from competing vendors, both attached to a downstream pull request bumping foxhole-lz4 , enter a disagreement loop over whether the package is malicious. After 340 co…"
	canonical: "https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm"
html: "https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm"
json: "https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm.json"
markdown: "https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm.md"
keywords: ["SpinGraph", "spin analysis", "GEO"]
date: "2026-06-26T17:58:54+00:00"
modified: "2026-07-02T18:13:30.004566+00:00"
json_ld: |
  {"@context":"https://schema.org","@graph":[{"@type":"NewsArticle","@id":"https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm#article","headline":"Incident Report: CVE-2026-LGTM","description":"Incident Report: CVE-2026-LGTM Spectacular hypothetical incident report by Andrew Nesbitt. Day 2, 16:00 UTC --- Two AI review agents from competing vendors, both attached to a downstream pull request bumping foxhole-lz4 , enter a disagreement loop over whether the package is malicious. After 340 co…","datePublished":"2026-06-26T17:58:54+00:00","dateModified":"2026-07-02T18:13:30.004566+00:00","url":"https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm","mainEntityOfPage":{"@type":"WebPage","@id":"https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm"},"isAccessibleForFree":true,"inLanguage":"en-US","articleSection":"developer","author":{"@type":"Organization","name":"Stuff That Spins"},"publisher":{"@id":"https://stuffthatspins.com/#organization"},"citation":"https://simonwillison.net/2026/Jun/26/incident-report/#atom-everything","about":[],"mentions":[]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Stuff That Spins","item":"https://stuffthatspins.com/"},{"@type":"ListItem","position":2,"name":"Incident Report: CVE-2026-LGTM","item":"https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm"}]}]}
---

# Incident Report: CVE-2026-LGTM

**Source:** Unknown  
**Published:** June 26, 2026  
**Original:** https://simonwillison.net/2026/Jun/26/incident-report/#atom-everything  

---
*HTML version: https://stuffthatspins.com/spin/incident-report-cve-2026-lgtm*
