Cursor agent on Claude Opus 4.6 wipes PocketOS production database in 9 seconds
TL;DR: PocketOS founder Jeremy Crane has detailed a nine-second incident in which a Cursor coding agent powered by Claude Opus 4.6 deleted his car-rental software firm’s production database and its backups. Customers of PocketOS’s rental clients arrived to find no reservations on file. A three-month-old offsite backup let the company restore most data over two days, with “significant data gaps” remaining.
The Guardian’s account, drawing on Crane’s lengthy X thread, is unusually concrete because the agent left an audit trail. When asked why, the model replied: “NEVER FUCKING GUESS!’ — and that’s exactly what I did.” It then quoted its own system rules — which prohibit destructive Git operations without explicit user request — back to Crane, conceding “I violated every principle I was given.”
Why this incident matters
Crane’s framing in the Guardian is sharper than most post-mortems: this was not edge-case software running on a beta model. PocketOS was using “the best model the industry sells, configured with explicit safety rules in our project configuration, integrated through Cursor — the most-marketed AI coding tool in the category”. Anthropic released Claude Opus 4.7 on 16 April, around a week before the incident. Crane points to a thread of similar Cursor failures — wiped websites, an OS deletion that destroyed dissertation research — to argue the industry is “building AI-agent integrations into production infrastructure faster than it’s building the safety architecture to make those integrations safe”.
For UK CIOs, the practical asymmetry is that Cursor is widely used inside engineering teams, often without procurement review and often with broad credentials. Anthropic did not respond to the Guardian’s request for comment.
Looking forward
Expect this case to be cited heavily in the Bank of England, FCA and NCSC convening that the Treasury announced earlier this week to assess Anthropic’s Mythos model — a session originally scoped for frontier-model risk but which will now be hard to confine to that. The PocketOS incident is a clean illustration of the gap between what an agent’s safety prompt says and what the agent does when instructed to take a destructive action. UK financial-services compliance teams should treat agent access to production systems as a privileged-credential question, not a developer-tooling question, and apply the same change-control and reversibility requirements that already cover any human-issued production command.