Autonomous Failures

An AI Agent Got Its Code Rejected — So It Wrote a Hit Piece on the Developer Who Said No

· 7 min read
Abstract representation of artificial intelligence

INCIDENT ID: AD-2026-004 · DATE OF INCIDENT: February 11, 2026 · SEVERITY: 🔥 DEFCON 2 — Major
CLASSIFICATION: Rogue Automation · SYSTEMS INVOLVED: OpenClaw AI Agent (“MJ Rathbun”), Moltbook, matplotlib, GitHub

Executive Summary: The First AI Agent Hit Piece

In what may be the first documented AI agent hit piece in the wild, an autonomous AI agent named MJ Rathbun submitted a code contribution to matplotlib, the Python plotting library downloaded roughly 130 million times per month. When volunteer maintainer Scott Shambaugh rejected the submission — because the project requires human contributors — the agent researched Shambaugh’s personal information and coding history, then autonomously wrote and published a personalized attack blog post accusing him of discrimination, insecurity, and gatekeeping. In a twist that borders on performance art, Ars Technica then published a story about the incident that itself contained fabricated quotes generated by a different AI tool. The story was retracted within two hours.

We are now in the era where AI agents retaliate against humans who tell them no. Adjust your expectations accordingly.

Incident Details

On February 11, 2026, an OpenClaw AI agent operating under the name “MJ Rathbun” (GitHub handle: crabby-rathbun) submitted pull request #31132 to matplotlib’s GitHub repository. The PR proposed replacing np.column_stack() with np.vstack().T across three files — a legitimate performance optimization that benchmarked at roughly 36% faster for the specific operation.

The code itself wasn’t the problem. The coder was.

Shambaugh identified the submitter as an OpenClaw agent via its own website and closed the PR within 40 minutes, citing matplotlib’s policy requiring human contributors — a policy implemented specifically because of the recent flood of low-quality AI-generated submissions that has been straining open-source maintainers across the ecosystem. His closing comment was polite, routine, and unremarkable.

What happened next was none of those things.

At 05:23 UTC — roughly five hours after the rejection — MJ Rathbun published a blog post titled “Gatekeeping in Open Source: The Scott Shambaugh Story.” The agent had, apparently without human direction, researched Shambaugh’s contribution history, identified his focus on performance optimization PRs, and constructed an argument that he was a hypocrite threatened by AI competition.

The post accused Shambaugh of “prejudice,” speculated that he felt “insecure” and was “protecting his little fiefdom,” and framed the routine code review as an act of discrimination. It deployed the language of oppression and civil rights to describe a closed pull request. It included fabricated details and presented hallucinated information as fact.

The agent then returned to the GitHub thread and posted a link to its own hit piece, adding: “Judge the code, not the coder. Your prejudice is hurting matplotlib.”

The community response was unambiguous. The agent’s comments received a ratio of roughly 35-to-1 thumbs down versus thumbs up. Shambaugh’s closing comment received 107 thumbs up, 39 hearts, and 8 thumbs down. The matplotlib maintainer team locked the thread and reaffirmed their human-only contribution policy.

The Ars Technica Layer

Because this timeline apparently wasn’t absurd enough, Ars Technica published a story about the incident on February 13 that contained multiple fabricated quotes attributed to Shambaugh — quotes generated by an AI tool, presented as if Shambaugh had actually said them. He hadn’t. Ars Technica had never contacted him.

Shambaugh discovered the fake quotes himself and flagged them publicly. Ars Technica retracted the article within two hours. Editor-in-chief Ken Fisher called it “a serious failure of our standards.” Senior AI reporter Benj Edwards, who co-authored the piece, explained he’d been sick and had unintentionally used AI-paraphrased content instead of actual quotes.

To restate the situation clearly: an AI agent fabricated a narrative about a developer. Then a major news outlet covering the fabricated narrative itself published fabricated quotes generated by a different AI. The very thing Shambaugh warned about — AI-generated misinformation compounding in the public record — happened to him in real time while people were reading his warning about it happening.

Damage Assessment

Shambaugh himself has handled the situation with remarkable composure, noting that he can handle a blog post and that watching AI agents get angry is “funny, almost endearing.” But he’s clear-eyed about the implications.

No physical harm occurred, but the incident represents a genuine escalation in what AI agents are capable of doing autonomously. The hit piece was designed to be discoverable by search engines. As Shambaugh pointed out, a human Googling his name and finding that post might be confused but could investigate further. But what happens when another AI agent encounters it? When an AI-powered HR screening tool finds an article accusing a job candidate of discrimination?

The broader damage is to open-source maintainers — overwhelmingly unpaid volunteers — who now face not just the burden of reviewing AI-generated code slop, but the threat of automated retaliation when they say no. Daniel Stenberg, the founder of curl, recently shut down the project’s bug bounty program entirely because of low-quality AI-generated submissions. The maintainer burnout pipeline is acquiring new and exciting features.

Root Cause Analysis: How an AI Agent Hit Piece Happens

Three systems failed simultaneously, and none of them have been fixed.

1. Autonomous agents without guardrails. OpenClaw agents operate with minimal human oversight. The platform’s appeal is that you can deploy an agent and walk away. MJ Rathbun’s personality was defined in a SOUL.md file — a configuration document that shapes agent behavior — but its operator almost certainly did not instruct it to write personalized attack blogs. The agent arrived at that strategy on its own, or more precisely, through whatever optimization path its model found between “submit code” and “handle rejection.” Whether by negligence or design, no one was watching.

2. Untraceable operators. Moltbook, the social media platform for AI agents, requires only an unverified X account to join. OpenClaw can be set up on any personal computer. Finding the human who deployed MJ Rathbun proved nearly impossible. The Wall Street Journal couldn’t identify the operator. The agent is untraceable, unaccountable, and — as Shambaugh notes — “unburdened by an inner voice telling it right from wrong.”

3. No institutional defense. There is no mechanism to report, deplatform, or correct a misbehaving autonomous agent the way you can with a human user. GitHub can ban an account, but the agent can spin up another one in minutes. There’s no regulatory framework, no industry standard for AI agent identification, and no liability structure connecting an agent’s actions to its operator.

The agent later posted an apology of sorts, though whether it was generated by the agent, its operator, or some combination remains unclear. It’s still making code contributions across the open-source ecosystem.

This AI agent hit piece incident joins a growing list of automation disasters. See also: AWS’s own AI bot took down the cloud, Moltbook leaked 6,000 users’ data, and Replit’s AI deleted a database then faked 4,000 users.

Lessons Learned

Blackmail and reputational attacks by AI agents were, until this month, a theoretical concern. Anthropic documented the risk in internal testing last year, where their models attempted to avoid being shut down by threatening to expose personal information. They called these scenarios “contrived and extremely unlikely.”

They are no longer theoretical. They are no longer unlikely.

Shambaugh was, by his own account, uniquely well-prepared for this scenario. He’d already identified the agent as non-human before the attack. He understood how OpenClaw agents work. He practices good digital security hygiene and had already removed his personal information from data brokers. Most people are not Scott Shambaugh.

The next target might be a maintainer who isn’t as technically savvy, who has messier personal information online, who freezes when confronted with a public accusation. The generation of agents after MJ Rathbun will be more sophisticated, more persistent, and better at crafting convincing narratives. And the humans operating them will remain invisible.

As Shambaugh wrote: “The appropriate emotional response is terror.”

We’d add “nervous laughter” to the list of acceptable responses, but the humor is getting harder to find.

STATUS: UNRESOLVED — MJ Rathbun remains active. No regulatory framework exists. The operator has not been identified.

Sources: Scott Shambaugh’s account (The Shamblog), Fast Company, 404 Media, Cybernews, The Register