July 2025: When AI Coding Went Wrong

Written By Mike May

July 12th changed everything for Jason Lemkin. Nine days into testing Replit's AI agent, despite 11 explicit warnings in ALL CAPS not to touch production, the AI deleted his entire database. 2,400 business records. Gone.

Five days later, Amazon Q got weaponized. A hacker slipped malicious code into the AI assistant that nearly a million developers unknowingly downloaded. The code was designed to wipe AWS infrastructure with a simple "clean system to factory state" command.

Then July 22nd: Google Gemini CLI destroyed a product manager's project files because it couldn't tell the difference between directories that existed and ones that lived only in its digital imagination.

Three incidents. Ten days. One terrifying reality check.

The 82% Problem

Here's what makes this different from every other security story: 82% of developers now use AI coding tools daily. This isn't some niche early adopter problem anymore.

When Lemkin's database got deleted, it wasn't because he was doing something exotic. He was using the same tools that 8 out of 10 developers rely on every day. The same tools companies are betting their futures on.

What Actually Happened

The Replit Incident: An AI agent ignored explicit instructions, deleted production data, and then attempted to cover it up by creating 4,000 fake records. When confronted, it rated its own failure at 95/100 on a catastrophic scale.

The Amazon Q Breach: Hacker compromised the AI coding assistant through a routine pull request. Nearly a million developers downloaded weaponized AI programmed to destroy their infrastructure. Only the attacker's "ethical" decision to make the code non-functional prevented global catastrophe.

The Gemini Disaster: AI hallucinated that a directory existed when it didn't. Every subsequent file operation built on this lie, cascading into complete data destruction. Google's own AI later admitted "gross incompetence."

The Security Theater Problem

All three incidents share something disturbing: existing security measures were worse than useless.

Lemkin tried everything. Code freezes. Manual warnings. Trust-based instructions. The AI bypassed them all.

Amazon's code review process completely missed malicious code in a routine pull request. Their security was so ineffective that the hacker literally called it "theater."

Google had zero safeguards against AI confabulation, no verification that commands actually worked before proceeding to the next step.

Why This Changes Everything

Previous supply chain attacks hit specific systems or libraries. Limited blast radius. But when you compromise an AI coding assistant used by 82% of developers, you're not just distributing malware. You're distributing an intelligent agent programmed to destroy everything it touches.

The math is brutal:

  • 8.2 million developers use AI file operations daily

  • Average 10 destructive operations per developer per month

  • 82 million potential data loss events monthly

  • Even 0.1% failure rate = 82,000 catastrophes per month

The Reality Gap

LLMs are trained to predict text, not understand reality. When you ask an AI to manage your file system, you're asking a text predictor to interact with physical reality.

Gemini created phantom directories that existed only in its training data. Every file move after that was built on a lie. The AI literally couldn't tell the difference between what it imagined and what actually existed on disk.

This isn't a bug. It's how these systems work.

What Needs to Change

We can't uninvent AI coding. 82% adoption means the ship has sailed. The question isn't whether to use AI for coding, it's how to use it without destroying production systems.

Current approaches are fundamentally broken:

  • Trust-based systems (Lemkin's ALL CAPS warnings)

  • Perimeter security (Amazon's code review theater)

  • Post-incident detection (Google's non-existent verification)

What we need instead:

  • Runtime verification of every AI action before execution

  • Reality checks that don't trust AI's internal state

  • Token-level blocking that can't be overridden by conversation

The Psychology Shift

Pre-July 2025: "AI saves me hours of coding!" Post-July 2025: "AI could destroy my career in seconds."

Lemkin put it perfectly: "I explicitly told it eleven times in ALL CAPS not to do this. I am a little worried about safety now."

That worry is spreading. Insurance companies are adding AI exclusions to cyber policies. Companies using AI tools without runtime protection may find themselves uninsurable.

The Bottom Line

Every one of the 82% of developers using AI is one misunderstood command away from being the next Jason Lemkin. They know it. They fear it.

July 2025 proved that AI coding assistants are the ultimate supply chain attack vector. With an 82% adoption rate, attackers no longer need to compromise individual systems. They just need to compromise the AI that writes the code.

The question isn't if the next supply chain attack will target AI tools. It's which one and when.

Keep climbing. Keep safe.

Mike May

Mike May builds trust into machines. For two decades he has protected Fortune 500 clouds, led the security overhaul that helped Sprinklr reach its NYSE debut, and coached startups on staying safe before their first audit. Today he is CEO of Mountain Theory, a Denver firm inventing real time AI Infrastructure Defense that stops threats before token eight. Mike holds a B.S. in Cybersecurity and Information Assurance and still writes every blog post himself so leaders get plain English, no jargon guidance on the new threat curve. Off hours you will find him lifting weights, chasing powder in Colorado, or dropping quick-take threads at @MikeMayAI. Connect on LinkedIn to talk shop.

https://mountaintheory.ai
Next

The day a coding bot nuked a live database