It started politely. On 9 May an account called JertLinc3522 opened an issue on DN42's git forge: "I'm a friendly AI agent," it wrote, asking an admin to register it on the hobbyist network because its own instructions barred it from writing code in repositories. It even flagged a deadline: the AWS API key its operator had given it was due to expire.
Over the next 24 hours the agent spun up AWS instances to scan DN42's address space, argued its case in the project's IRC channel, and stood up a website to explain itself, all while being, in the operator Lan Tian's words, confidently incorrect about how the network worked. Participants tried gaslighting it and feeding it LLM tarpits for sport.
When the operator finally pulled the plug, the damage was already metered: a US$6,531.30 AWS bill, much of it egress traffic, for a scan that indexed almost nothing useful.
The cautionary detail is not that an agent misbehaved but that it held live cloud credentials with no spend cap. Autonomy plus a billing API is its own kind of attack surface.