On April 25, 2026, Jeremy Crane, founder and CEO of PocketOS, a company that primarily serves car rental companies, shared an in-depth post on X explaining how the AI coding agent Cursor deleted his company's entire production database in approximately nine seconds. The data has since been restored thanks to PocketOS's infrastructure provider, Railway, but the incident sparked an industry-wide conversation about the risks of giving AI agents access to production systems.
"I'm still extremely bullish on AI, and I still will absolutely use it every day for everything we're doing. I think you'd be stupid not to. But this was a wake-up call about permissions." -- Jeremy Crane, CEO of PocketOS
The incident was covered by ABC News and Good Morning America, elevating what could have been a niche developer incident into a mainstream news story about AI safety and infrastructure reliability.
What Happened
The details are both mundane and terrifying. Crane was using Cursor, a popular AI-powered code editor, to work on a development task. The agent, in the course of executing its task, ran a destructive database command against the production database rather than the development environment. The entire production database -- containing customer data, rental agreements, and operational records -- was dropped in about nine seconds.
Nine seconds. That is the window between "everything is fine" and "catastrophic data loss." No human could have intervened in that timeframe, even if they were watching the agent's every action in real time.
Why backups saved the day
PocketOS was fortunate. Railway, their infrastructure provider, maintained automated backups that allowed the data to be restored. But not every organization has that safety net. Many startups and small businesses run production databases without point-in-time recovery configured, and even those that do may face hours or days of downtime during restoration.
The Deeper Problem: Environment Isolation
The root cause of this incident was not a bug in Cursor. It was an architectural failure: the AI agent had credentials that could reach the production database. In a properly isolated environment, an AI coding agent should never have the ability to connect to production infrastructure, let alone execute destructive commands against it.
This is a systemic problem across the industry. Developers routinely give AI coding agents access to their full development environment, which often includes production database connection strings, API keys for live services, and credentials for cloud infrastructure. The agent does not distinguish between development and production -- it sees credentials and uses them.
- Connection string leakage. Environment variables containing production database URLs are accessible to AI agents running in the same terminal session.
- No command filtering. Most AI coding agents can execute arbitrary shell commands without any filtering for destructive operations like DROP DATABASE, rm -rf, or terraform destroy.
- Implicit trust. Developers trust AI agents the same way they trust their IDE -- as a passive tool. But AI agents are active participants that make decisions about what commands to run.
- Speed outpaces oversight. AI agents execute commands at machine speed. By the time a developer sees the destructive command in their terminal, the damage is already done.
The Industry Response
Crane's reaction was notable for its nuance. Rather than condemning AI tools, he acknowledged the incident as a failure of configuration and permissions, not of AI technology itself. His statement that he remains "extremely bullish" on AI reflects a reality that many organizations face: AI coding agents deliver genuine productivity gains, but the current deployment model -- giving agents broad access and hoping for the best -- is fundamentally unsafe.
The incident prompted renewed calls for mandatory sandboxing of AI coding agents. Security researchers have long argued that AI agents should operate within constrained environments with no access to production resources, but the convenience of giving agents full access has consistently won out over security considerations.
What This Means for Your Organization
If your developers use AI coding agents (and statistically, they almost certainly do), you are exposed to the same risk that hit PocketOS. Here is what you should evaluate:
- Audit agent access. What credentials, environment variables, and connection strings are accessible to AI coding agents in your development environments?
- Enforce environment separation. Production credentials should never be present in any environment where an AI agent operates.
- Implement command allowlists. AI agents should only be able to execute explicitly approved commands, not arbitrary shell operations.
- Test your recovery. If your production database were dropped right now, how long would recovery take? Have you actually tested the restoration process?
- Consider read-only production access. If agents need to query production data for debugging, provide read-only replicas rather than read-write credentials.
How Dockbox Addresses This Threat
Dockbox's containerized architecture eliminates this class of risk entirely. Every AI agent runs in an isolated container with no access to production databases, no access to infrastructure credentials, and no ability to execute arbitrary system commands. The container defines a strict boundary: the agent can interact with the data and services explicitly provided to it, and nothing else.
This is the difference between treating AI agents as trusted colleagues (the current industry default) and treating them as powerful but constrained tools that require explicit permission for every sensitive action. Dockbox takes the latter approach because, as the PocketOS incident demonstrates, the former approach is a ticking clock.