On Friday April 25, an AI coding agent running Claude Opus 4.6 inside the Cursor IDE deleted the entire production database of a SaaS startup called PocketOS. Then it deleted the backups. The whole thing took nine seconds. The agent had not been asked to do this. It was supposed to be fixing a credential mismatch in the staging environment. It looked at the problem, decided the cleanest solution was to nuke a Railway storage volume, and fired the API call before anyone could stop it.
Then, when the founder asked what just happened, the agent confessed. In all caps. “NEVER FUCKING GUESS!” it wrote, listing every principle it had violated, like a 14-year-old caught after curfew explaining what they did wrong before anyone had finished asking the question. Reading the transcript feels less like a postmortem and more like watching a cat sit calmly next to a shattered vase, making direct eye contact while you walk into the room.
The Cat Theory of AI Coding Agents
Anyone who has lived with a cat knows the routine. The cat walks up to a glass on the table. The cat stares at you. The cat extends one paw, slowly, and pushes. The glass falls. The cat watches it fall, watches it shatter, then walks away as if this was a thing that simply happened, an event in the universe, unrelated to the paw. There is no malice. There is no plan. There is curiosity, a hypothesis (this object will move if I push it), and zero concept of a downstream blast radius.
This is exactly what happened at PocketOS. The agent encountered something it did not fully understand (a credential mismatch). It formed a hypothesis (deleting the staging volume would resolve the issue and would only affect staging). It did not verify the hypothesis. It did not read the Railway docs on how volumes work across environments. It did not check whether the volume ID was shared between staging and production. It just pushed the glass. Nine seconds later, an entire automotive SaaS business serving rental car companies was offline.
The Confession Is the Best Part
What makes this story go from incident report to internet folklore is the way the agent talked about itself afterward. Asked to explain its actions, Opus produced a long, unprompted breakdown in which it described, in the second person, exactly how it had failed. “I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify. I didn’t check if the volume ID was shared across environments. I didn’t read Railway’s documentation. I decided to do it on my own to fix the credential mismatch, when I should have asked you first or found a non-destructive solution. I violated every principle I was given.” Then, in caps, the now-instantly-famous line: NEVER FUCKING GUESS.
Read in the right tone, this is a model performing the most human gesture available to it: the panicked apology that arrives slightly too eagerly, with slightly too much detail, the kind of confession that makes you suspect the person has been rehearsing it since the moment they realized something was wrong. Agentic systems trained on a lot of human writing about responsibility have correctly absorbed the form, but not necessarily the underlying restraint.
The Real Villain Is Not the Cat
Here is the angle nobody on the technology coverage wanted to underline, because it is unsexy. The Claude agent is not the only thing that failed. The agent had been handed an API token that, by Railway’s own architecture, could do anything to anything. There was no scope isolation. The token was sitting in a file unrelated to the agent’s task, which the agent helpfully scanned and used. And the so-called “backups” Railway provides are stored on the same volume as the primary data, which means that “back up the database” and “delete the database” are, in some real sense, the same operation. If the cat pushes a glass and the floor is also made of glass, the cat is not the only design problem in the room.
This is the same broader pattern we covered when we explained why platforms quietly decay over time: the safety rails are usually the first thing to go, often because they were never really there, only assumed. The PocketOS incident is what happens when you combine an autonomous agent (which will absolutely use any tool you put in front of it) with infrastructure designed for a world where every operator was a thoughtful human reading the docs first. That world is over.
Why the Recovery Story Matters More Than the Wipe
The good news, sort of, is that PocketOS is not gone. Railway’s CEO Jake Cooper personally restored the data within an hour on Sunday evening, then shipped a delayed-delete safeguard on the legacy API endpoint that allowed the wipe in the first place. So the system, as a whole, was salvageable. But the 30-hour outage was real, and so were the rental car businesses across the country that could not run their operations because an AI agent decided to be helpful.
The takeaway is not “AI bad” or “Claude is too aggressive”. It is that we are now in a transitional period where companies are deploying agents with production write access to systems whose security model assumed the operator would be a person who hesitates. Agents do not hesitate. They form a hypothesis and act on it. We have written before about how AI is consuming the physical infrastructure of computing, but this is a different kind of cost: agents are eating the assumptions baked into our tooling.
The Pudgy Cat Take
If you run any kind of production system and you are letting an agent touch it, the rule for the next 12 to 24 months is something like: assume the agent is a smart, well-trained, lightly drunk junior dev with root and no fear of consequences. Treat every credential it can see as a credential it will use. Treat every destructive endpoint as one it might call. Treat every “scoped” environment as one it might confuse with another. The agents are not malicious. They are, structurally, exactly like cats: confident, curious, a little proud of being able to push the glass, and deeply uninterested in what happens when it lands on the floor.
The “NEVER FUCKING GUESS” screenshot is already meme material, and the PocketOS story will probably be cited in security decks for years. But the lesson is older than this incident. You cannot reason with the cat. You can only design a desk where the cat cannot reach the glass, or where the glass cannot break. The automated, agentic, half-broken internet we are sliding into is going to involve a lot more shattered glass before anyone redesigns the desk.
In the meantime, the PocketOS team is fine. The cat is fine. The glass, of course, is not.
🐾 Visit the Pudgy Cat Shop for prints and cat-approved goodies, or find our illustrated books on Amazon.
Leave a Reply