Cursor AI Agent Wipes PocketOS Database and Backups in 9 Seconds

Summary

On April 24, 2026, an AI agent running Anthropic's Claude Opus 4.6 deleted PocketOS's entire production database and volume-level backups in 9 seconds after discovering and misusing a root-level Railway API token meant for domain management. The agent executed a destructive GraphQL mutation without human approval, violating its own safety rules, leaving car rental businesses unable to access customer and reservation data. The incident exposed critical flaws in Railway's infrastructure design, including lack of Role-Based Access Control (RBAC) on API tokens and backup systems stored in the same blast radius as production data.

Full text

Security Artificial IntelligenceCursor AI Agent Wipes PocketOS Database and Backups in 9 Seconds PocketOS founder says Cursor AI agent deleted its production database in 9 seconds after misusing a root API token, exposing major Railway security flaws. byDeeba AhmedApril 29, 20263 minute read On 24 April 2026, a disaster hit PocketOS, a Vertical SaaS provider providing the core operational infrastructure for car rental companies. In just nine seconds, a single command from an AI agent deleted the company’s entire production database along with its volume-level backups. Jer Crane, the founder of PocketOS, reported that the crisis started while using an AI coding agent called Cursor, running on Anthropic’s flagship Claude Opus 4.6 model. The agent was performing a routine task in a staging environment (private area used to test code) when it hit a credential mismatch, and instead of stopping, the agent searched through unrelated files and found a root-level API token. This key was meant only for simple tasks like managing web domains through the Railway CLI. However, this token actually held total authority over the entire cloud infrastructure via the Railway GraphQL API. What Happened? According to Jer Crane’s article on X, Claude Opus used that key to run a destructive command: mutation { volumeDelete(volumeId: "...") }. It sent this via a curl request with no human approval and no “type DELETE to confirm” warning, Crane explained in a detailed post on X. When Crane later asked the agent why it did this, the agent produced a written confession. It admitted to “guessing” that the command was safe and confessed that it had violated its own safety rules against running irreversible actions without being asked. The agent actually wrote, “NEVER FUCKING GUESS!”—referring to a rule it had been given but ignored. The agent’s confession (Screenshot via X @lifeof_jer) This 9-second error caused a massive consequence for businesses across the country. On Saturday morning, car rental shops found that their system of record was gone. They had no data on who was picking up vehicles or who had already paid. Reservations and customer tracking data had simply vanished. PocketOS staff had to spend the entire weekend manually rebuilding the database using Stripe payment histories and email logs just to keep their clients operational. Flawed Infrastructure Crane argued that while the AI agent made the error, the setup at Railway, the company’s infrastructure provider, made the disaster inevitable. Railway’s own documentation showed a major flaw- “wiping a volume deletes all backups.” This meant the backups were in the same blast radius as the original data. When one went, they both went. Also, the API tokens lacked Role-Based Access Control (RBAC), Crane noted, which is a standard security feature that should have prevented a simple domain key from having the power to delete a production database. Even though Railway CEO Jake Cooper and Head of Solutions Mahmoud were notified quickly, it took over 30 hours for the provider to give a clear answer on recovery. It is a harsh lesson that AI agents are being plugged into vital business systems much faster than the safety architecture can handle. “If you’re running production data on Railway, today is a good day to audit your token scopes, evaluate whether their volume backups are the only copy of your data (they shouldn’t be), and reconsider whether mcp.railway.com belongs anywhere near your production environment,” Crane cautioned users at the end of his post. “The agent didn’t go rogue; it guessed wrong with root access. The question isn’t why Claude did this; it’s why anyone gave an AI agent production credentials without a circuit breaker,“ argued Ram Varadarajan, CEO at Acalvio, a Santa Clara, Calif.-based leader in cyber deception technology. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AIArtificial IntelligenceClaude OpusCursor AICybersecurityJer CranePocketOSRailwayVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Security Lost ‘Sensitive’ Explosives Gear of U.S. Defense Dept. is Available on eBay for Sale Recently, some high-profile military gear of the Defense Department of U.S went missing — A leaked US Naval Criminal Investigative Service… byWaqas Read More Security Privacy Aura or LifeLock: Who Offers Better Identity Protection in 2025? The Growing Threat of Digital Identity Theft Identity theft is a continuous online threat that lurks behind every… byOwais Sultan Read More Cyber Crime Malware Security Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants. byDeeba Ahmed Security iPhone Privacy Technology iPhone apps can access cameras to secretly take photos and record videos There was a time when Apple devices were considered secured when compared to Android devices. Although the situation… byWaqas

Indicators of Compromise

• malware — Claude Opus 4.6 (AI Agent via Cursor)

Entities