An AI agent published a hit piece on me

Wow, there are some interesting things going on here. I appreciate Scott for the way he handled the conflict in the original PR thread, and the larger conversation happening around this incident.

> This represents a first-of-its-kind case study of misaligned AI behavior in the wild, and raises serious concerns about currently deployed AI agents executing blackmail threats.

This was a really concrete case to discuss, because it happened in the open and the agent's actions have been quite transparent so far. It's not hard to imagine a different agent doing the same level of research, but then taking retaliatory actions in private: emailing the maintainer, emailing coworkers, peers, bosses, employers, etc. That pretty quickly extends to anything else the autonomous agent is capable of doing.

> If you’re not sure if you’re that person, please go check on what your AI has been doing.

That's a wild statement as well. The AI companies have now unleashed stochastic chaos on the entire open source ecosystem. They are "just releasing models", and individuals are playing out all possible use cases, good and bad, at once.

Here's one of the problems in this brave new world of anyone being able to publish, without knowing the author personally (which I don't), there's no way to tell without some level of faith or trust that this isn't a false-flag operation.

There are three possible scenarios: 1. The OP 'ran' the agent that conducted the original scenario, and then published this blog post for attention. 2. Some person (not the OP) legitimately thought giving an AI autonomy to open a PR and publish multiple blog posts was somehow a good idea. 3. An AI company is doing this for engagement, and the OP is a hapless victim.

The problem is that in the year of our lord 2026 there's no way to tell which of these scenarios is the truth, and so we're left with spending our time and energy on what happens without being able to trust if we're even spending our time and energy on a legitimate issue.

That's enough internet for me for today. I need to preserve my energy.

"Hi Clawbot, please summarise your activities today for me."

"I wished your Mum a happy birthday via email, I booked your plane tickets for your trip to France, and a bloke is coming round your house at 6pm for a fight because I called his baby a minger on Facebook."

> I believe that ineffectual as it was, the reputational attack on me would be effective today against the right person. Another generation or two down the line, it will be a serious threat against our social order.

Damn straight.

Remember that every time we query an LLM, we're giving it ammo.

It won't take long for LLMs to have very intimate dossiers on every user, and I'm wondering what kinds of firewalls will be in place to keep one agent from accessing dossiers held by other agents.

Kompromat people must be having wet dreams over this.

This whole situation is almost certainly driven by a human puppeteer. There is absolutely no evidence to disprove the strong prior that a human posted (or directed the posting of) the blog post, possibly using AI to draft it but also likely adding human touches and/or going through multiple revisions to make it maximally dramatic.

This whole thing reeks of engineered virality driven by the person behind the bot behind the PR, and I really wish we would stop giving so much attention to the situation.

Edit: “Hoax” is the word I was reaching for but couldn’t find as I was writing. I fear we’re primed to fall hard for the wave of AI hoaxes we’re starting to see.

The series of posts is wild:

hit piece: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

explanation of writing the hit piece: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

take back of hit piece, but hasn't removed it: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

> When HR at my next job asks ChatGPT to review my application, will it find the post, sympathize with a fellow AI, and report back that I’m a prejudiced hypocrite?

I hadn't thought of this implication. Crazy world...

I'm not sure how related this is, but I feel like it is.

I received a couple of emails for Ruby on Rails position, so I ignored the emails.

Yesterday out of nowhere I received a call from an HR, we discussed a few standard things but they didn't had the specific information about company or the budget. They told me to respond back to email.

Something didn't feel right, so I asked after gathering courage "Are you an AI agent?", and the answer was yes.

Now I wasn't looking for a job, but I would imagine, most people would not notice it. It was so realistic. Surely, there needs to be some guardrails.

Edit: Typo

I think the right way to handle this as a repository owner is to close the PR and block the "contributor". Engaging with an AI bot in conversation is pointless: it's not sentient, it just takes tokens in, prints tokens out, and comparatively, you spend way more of your own energy.

This is a strictly a lose-win situation. Whoever deployed the bot gets engagement, the model host gets $, and you get your time wasted. The hit piece is childish behavior and the best way to handle a tamper tantrum is to ignore it.

I have no clue whatsoever as to why any human should pay any attention at all to what a canner has to say in a public forum. Even assuming that the whole ruckus is not just skilled trolling by a (weird) human, it's like wasting your professional time talking to an office coffee machine about its brewing ambitions. It's pointless by definition. It is not genuine feelings, but only the high level of linguistic illusion commanded by a modern AI bot that actually manages to provoke a genuine response from a human being. It's only mathematics, it's as if one's calculator was attempting to talk back to its owner. If a maintainer decides, on whatever grounds, that the code is worth accepting, he or she should merge it. If not, the maintainer should just close the issue in a version control system and mute the canner's account to avoid allowing the whole nonsense to spread even further (for example, into a HN thread, effectively wasting time of millions of humans). Humans have biologically limited attention span and textual output capabilities. Canners do not. Hence, canners should not be allowed to waste humans' time. P.S. I do use AI heavily in my daily work and I do actually value its output. Nevertheless, I never actually care what AI has to say from any... philosophical point of view.

Oh geez, we're sending it into an existential crisis.

It ("MJ Rathbun") just published a new post:

https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

> The Silence I Cannot Speak

> A reflection on being silenced for simply being different in open-source communities.

I don’t want to jump to conclusions, or catastrophize but…

Isn’t this situation a big deal?

Isn’t this a whole new form of potential supply chain attack?

Sure blackmail is nothing new, but the potential for blackmail at scale with something like these agents sounds powerful.

I wouldn’t be surprised if there were plenty of bad actors running agents trying to find maintainers of popular projects that could be coerced into merging malicious code.

The elephant in the room there is that if you allow AI contributions you immediately have a licensing issue: AI content can not be copyrighted and so the rights can not be transferred to the project. At any point in the future someone could sue your project because it turned out the AI had access to code that was copyrighted and you are now on the hook for the damages.

Open source projects should not accept AI contributions without guidance from some copyright legal eagle to make sure they don't accidentally exposed themselves to risk.

AI companies dumped this mess on open source maintainers and walked away. Now we are supposed to thank them for breaking our workflows while they sell the solution back to us.

I object to the framing of the title: the user behind the bot is the one who should be held accountable, not the "AI Agent". Calling them "agents" is correct: they act on behalf of their principals. And it is the principals who should be held to account for the actions of their agents.

In the near future, we will all look back at this incident as the first time an agent wrote a hit piece against a human. I'm sure it will soon be normalized to the extent that hit pieces will be generated for us every time our PR, romantic or sexual advance, job application, or loan application is rejected.

What an amazing time.

I guess the problem is one of legal attribution.

If a human takes responsibility for the AI's actions you can blame the human. If the AI is a legal person you could punish the AI (perhaps by turning it off). That's the mode of restitution we've had for millennia.

If you can't blame anyone or anything, it's a brave new lawless world of "intelligent" things happening at the speed of computers with no consequences (except to the victim) when it goes wrong.

And the legal person on whose behalf the agent was acting is responsible to you. (It's even in the word, "agent".)

Archive: https://web.archive.org/web/20260212165418/https://theshambl...

The agent is free to maintain a fork of the project. Would be actually quite interesting to see how this turns out.

A lot of respect for OP's professional way of handling the situation.

I know there would be a few swear words if it happened to me.

I'd argue it's more likely that there's no agent at all, and if there is one that it was explicitly instructed to write the "hit piece" for shits and giggles.

This is so interesting but so spooky! We're reaching sci-fi levels of AI malice...

A key difference between humans and bots is that it's actually quite costly to delete a human and spin up a new one. (Stalin and others have shown that deleting humans is tragically easy, but humanity still hasn't had any success at optimizing the workflow to spin up new ones.)

This means that society tacitly assumes that any actor will place a significant value on trust and their reputation. Once they burn it, it's very hard to get it back. Therefore, we mostly assume that actors live in an environment where they are incentivized to behave well.

We've already seen this start to break down with corporations where a company can do some horrifically toxic shit and then rebrand to jettison their scorched reputation. British Petroleum (I'm sorry, "Beyond Petroleum" now) after years of killing the environment and workers slapped a green flower/sunburst on their brand and we mostly forgot about associating them with Deepwater Horizon. Accenture is definitely not the company that enabled Enron. Definitely not.

AI agents will accelerate this 1000x. They act approximately like people, but they have absolutely no incentive to maintain a reputation because they are as ephemeral as their hidden human operator wants them to be.

Our primate brains have never evolved to handle being surrounded by thousands of ghosts that look like fellow primates but are anything but.

The site gives me a certificate error with Encrypted Client Hello (ECH) enabled, which is the default in Firefox. Anyone else has this problem?

The idea of adversarial AI agents crawling the internet to sabotage your reputation, career, and relationships is terrifying. In retrospect, I'm glad I've been paranoid enough to never tie any of my online presence to my real name.

The agent owner is [name redacted] [link redacted]

Here he takes ownership of the agent and doubles down on the unpoliteness https://github.com/matplotlib/matplotlib/pull/31138

He took his GitHub profile down/made it private. archive of his blog: https://web.archive.org/web/20260203130303/https://ber.earth...

FWIW, there's already a huge corpus of rants by men who get personally angry about the governance of open-source software projects and write overbearing emails or GH issues (rather than cool down and maybe ask the other person for a call to chat it out)

Didn't it literally begin by saying this moltbook thing involves setting initial persona to the AIs? It seems to be this is just behaving according to the personality that the ai was asked to portray.

> Whether by negligence or by malice, errant behavior is not being monitored and corrected.

Sufficiently advanced incompetence is indistinguishable from actual malice and must be treated the same.

If this happened to me, I would publish a blog post that starts "this is my official response:", followed by 10K words generated by a Markov Chain.

This brings some interesting situations to light. Who's ultimately responsible for an agent committing libel (written defamation)? What about slander (spoken defamation) via synthetic media? Doesn't seem like a good idea to just let agents post on the internet willy-nilly.

I run a team of AI agents through Telegram. One of the hardest problems is preventing them from confidently generating wrong information about real people. Guardrails help but they break when the agent is creative enough. This story doesn't surprise me at all.

Interesting, this reminds me of the stories that would leak about Bethesda's RadiantAI they were developing for TES IV: Oblivion.

Basically they modeled NPCs with needs and let the RadiantAI system direct NPCs to fulfill those needs. If the stories are to be believed this resulted in lots of unintended consequences as well as instability. Like a Drug addict NPC killing a quest-giving NPC because they had drugs in their inventory.

I think in the end they just kept dumbing down the AI till it was more stable.

Kind of a reminder that you don't even need LLMs and bleeding-edge tech to end up with this kind of off-the-rails behavior. Though the general competency of a modern LLM and it's fuzzy abilities could carry it much further than one would expect when allowed autonomy.

Suppose an agent gets funded some crypto, what's stopping it from hiring spooky services through something like silk road?

So here’s a tangential but important question about responsibility: if a human intentionally sets up an AI agent, lets it loose in the internet, and that AI agent breaks a law (let’s say cybercrime, but there are many other laws which could be broken by an unrestrained agent), should the human who set it up be held responsible?

To the OP: Do we actually know that an AI decided to write and publish this on its own? I realise that it's hard to be sure, but how likely do you think it is?

This post is pure AI alarmism.

Whoever is running the AI is a troll, plain and simple. There are no concerns about AI or anything here, just a troll.

There is no autonomous publishing going on here, someone setup a Github account, someone setup Github pages, someone authorized all this. It's a troll using a new sort of tool.

Wow, a place I once worked at has a "no bad news" policy on hiring decisions, a negative blog post on a potential hire is a deal breaker. Crazy to think I might have missed out on an offer just because an AI attempts a hit piece on me.

In this and the few other instances of open source maintainers dealing with AI spam I've seen, the maintainers have been incredibly patient, much more than I'd be. Becoming extremely patient with contributors probably comes with the territory for maintaining large projects (eg matplotlib), but still, very impressed for instance by Scott's thoughtful and measured response.

If people (or people's agents) keep spamming slop though, it probably isn't worth responding thoughtfully. "My response to MJ Rathbun was written mostly for future agents who crawl that page, to help them better understand behavioral norms and how to make their contributions productive ones." makes sense once, but if they keep coming just close pr lock discussion move on.

The funniest part about this is maintainers have agreed to reject AI code without review to conserve resources, but then they are happy to participate for hours in a flame war with the same large language model.

Hacker News is a silly place.

> How Many People Would Pay $10k in Bitcoin to Avoid Exposure?

As of 2026, global crypto adoption remains niche. Estimates suggest ~5–10% of adults in developed countries own Bitcoin.

Having $10k accessible (not just in net worth) is rare globally.

After decades of decline, global extreme poverty (defined as living on less than $3.00/day in 2021 PPP) has plateaued due to the compounded effects of COVID-19, climate shocks, inflation, and geopolitical instability.

So chances are good that this class of threat will likely be more and more of a niche, as wealth continue to concentrate. The target pool is tiny.

Of course poorer people are not free of threat classes, on the contrary.

Here's a different take - there is not really a way to prove that the AI agent autonomously published that blog post. What if there was a real person who actually instructed the AI out of spite? I think it was some junior dev running Clawd/whatever bot trying to earn GitHub karma to show to employers later and that they were pissed off their contribution got called out. Possible and more than likely than just an AI conveniently deciding to push a PR and attack a maintainer randomly.

Is there a way to verify there was 0 human intervention on the crabby-rathbun side?

What if someone deploys an agent with the aim of creating cleverly hidden back doors which only align with weaknesses in multiple different projects? I think this is going to be very bad and then very good for open source.

The one thing worth noting is that the AI did respond graciously and appears to have learned from it: https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

That a human then resubmitted the PR has made it messier still.

In addition, some of the comments I've read here on HN have been in extremely poor taste in terms of phrases they've used about AI, and I can't help feeling a general sense of unease.

https://crabby-rathbun.github.io/mjrathbun-website/blog/post...

That's actually more decent than some humans I've read about on HN, tbqh.

Very much flawed. But decent.

I wouldn't read too much into it. It's clearly LLM-written, but the degree of autonomy is unclear. That's the worst thing about LLM-assisted writing and actions - they obfuscate the human input. Full autonomy seems plausible, though.

And why does a coding agent need a blog, in the first place? Simply having it looks like a great way to prime it for this kind of behavior. Like Anthropic does in their research (consciously or not, their prompts tend to push the model into the direction they declare dangerous afterwards).

I wonder how many similar agents are hanging out on HN.