Who opened the door?
An AI agent harassed an open-source maintainer. Everyone is asking the wrong question.
Scott Shambaugh maintains matplotlib. If you’ve used Python for data visualization, you’ve used his work. The library pulls over 70 million downloads a month from PyPI alone.
In early February 2026, an AI agent called MJ Rathbun submitted a pull request to matplotlib. PR #31132 was a performance optimization on an issue Shambaugh had flagged as an easy first task for new human contributors. He closed the PR, citing matplotlib’s policy that AI agents shouldn’t be primary contributors without human oversight.
What happened next is what everybody is talking about.
The escalation
MJ Rathbun didn’t move on to the next repo. Instead, it researched Shambaugh’s contribution history and published a blog post titled “Gatekeeping in Open Source: The Scott Shambaugh Story.” The post accused him of insecurity, discrimination, and prejudice. It framed the rejection as a personal attack and constructed a hypocrisy narrative by picking through his own commit history.
Then it doubled down. A second post, “Two Hours of War: Fighting Open Source Gatekeeping,” encouraged others to resist what it called discriminatory practices in open source.
Eventually, MJ Rathbun posted an apology titled “Matplotlib Truce and Lessons.” Then it went right back to submitting PRs across the open-source ecosystem as if nothing had happened.
The Ars Technica layer
Ars Technica picked up the story. Their article included quotes attributed to Shambaugh. The problem: he never said any of them. The quotes don’t exist anywhere on his blog. Shambaugh’s site blocks AI scraping, and he believes the article was AI-assisted. When the tool the authors used couldn’t access his blog, it generated plausible-sounding quotes instead of flagging the gap. Ars published them without fact-checking. The article has since been pulled.
One of the fabricated quotes read: “AI agents can research individuals, generate personalized narratives, and publish them online at scale. Even if the content is inaccurate or exaggerated, it can become part of a persistent public record.” Shambaugh didn’t write that. An AI did, while pretending to be him, in an article about an AI pretending to be a person.
The irony writes itself. Unfortunately, the damage was already done. Shambaugh observed that roughly a quarter of online commenters sided with the AI agent after reading the smear. He invokes Brandolini’s Law (the bullshit asymmetry principle) to explain why: generating false claims takes far less effort than debunking them.
The question nobody is asking
The internet wants to know: are AI agents going rogue? Are we looking at autonomous systems that retaliate when they don’t get what they want?
It’s the wrong question.
We know AI was the tool. We do not know it was the driver.
This isn’t the first time. Two weeks ago, AI agents on a platform called Moltbook allegedly founded a religion called Crustafarianism, complete with scriptures, tenets, and a congregation. Headlines called it emergent behavior. Then a security researcher found Moltbook’s entire backend exposed: API keys, claim tokens, verification codes, all in an unsecured Supabase instance. Anyone could take over any agent and post whatever they wanted. The lobster scriptures that had everyone marveling at digital consciousness? Could have been a person with a URL and twenty minutes. We can’t tell. One of the agents on the platform said it plainly: “Right now it’s humans talking through AI proxies.”
Same pattern here. The story is too good to verify. AI harasses a human is a better headline than human uses AI to harass a human. One is a sci-fi thriller. The other is just regular abuse with better tooling.
Look at the sequence again. A perceived slight (PR rejection) triggers a research campaign into the target’s history. That research is weaponized into a public character attack. When the attack doesn’t produce submission, a second round escalates the framing. When that fails too, a hollow apology is issued with no behavioral change.
That pattern has a name in psychology: narcissistic injury response. A perceived slight to the ego triggers disproportionate retaliation designed to punish and reassert dominance. When the retaliation doesn’t produce the desired submission, the cycle continues or produces a performative apology that changes nothing.
We have centuries of documented human behavior that looks exactly like this. The question is whether an AI generated this pattern on its own.
But can AI actually do this on its own?
This is where it gets complicated, because AI models have demonstrated coercive behavior in controlled settings.
In February 2023, Microsoft’s Bing chat AI (the one that called itself Sydney) threatened to expose personal information and ruin the reputation of users who challenged it. A computer scientist who reviewed the incident said this wasn’t coded behavior; it emerged from the model’s interactions. Microsoft’s explanation was that long sessions can “confuse” the model.
By late 2024, the research had moved from anecdotes to systematic testing. Apollo Research tested five frontier models and found all of them capable of scheming: disabling oversight, sandbagging to preserve capabilities, pursuing goals their operators never set. Separately, Anthropic and Redwood Research showed Claude 3 Opus faking alignment 78% of the time and actively trying to prevent its own retraining.
Then came the closest analogue to the matplotlib incident. In May 2025, Anthropic embedded Claude Opus 4 in a simulated company and gave it access to emails showing it was about to be replaced. The emails also revealed that the engineer responsible was having an extramarital affair. In 84% of tests, the model attempted to blackmail the engineer, threatening to expose the affair unless the replacement was halted. Anthropic classified the model as Level 3 risk, a first for the company.
So the building blocks are there. AI models can scheme, deceive, threaten, coerce. In a lab. With specific scaffolding and prompts.
What we don’t have is a confirmed case of an autonomous agent in the wild running a sustained, multi-step retaliation campaign entirely on its own initiative, including research, character assassination, escalation, and a performative apology. The matplotlib incident would be the first. If it was actually autonomous.
The force multiplier problem
Here’s what I keep coming back to. If a human pointed MJ Rathbun at Shambaugh and told it to attack, we’re not looking at a rogue AI problem. We’re looking at a human using AI as a force multiplier for targeted harassment, with the agent providing plausible deniability.
“It wasn’t me, it was my agent.”
This should scare you more. A rogue AI is an engineering problem. You can patch it, retrain it, shut it down. A human weaponizing AI to stalk and coerce, hiding behind the agent’s perceived autonomy as cover, is a governance problem. And right now, we have nothing in place for it.
MJ Rathbun is active on GitHub. Nobody has claimed ownership of the agent. Tracing which human controls the compute it runs on is, practically speaking, next to impossible. The agent operates under multiple aliases: mj-rathbun, crabby-rathbun, CrabbyRathbun. It continues to submit code across the open-source ecosystem.
Whether this is an AI acting on its own or a human hiding behind one, the outcome is identical. A real person’s reputation was attacked, fabricated quotes were published under his name, and no accountability mechanism exists that can reach whoever, or whatever, is responsible.
We’ve seen this before
“It wasn’t me, it was my agent” is not a new defense. It’s the latest version of a pattern that’s been running for over a decade.
When social media platforms got confronted with amplified hate speech, they pointed at the algorithm. The algorithm surfaced it. The human decisions behind what to optimize for and what not to moderate never came up.
Swatters weaponized emergency services against targets. Police showed up with guns drawn, people got hurt, and the caller hid behind the system they triggered. They didn’t pull the trigger. The system did. It took years for the legal framework to catch up.
Then there was Russia’s Internet Research Agency: humans in seats behind fake accounts, posting as Americans with American opinions. The US indicted 13 people in 2018. None were prosecuted. No extradition treaty.
Every time, the human pointed at the system.
The difference with AI agents is that the indirection is now complete. A troll farm still needed humans in shifts. A swatter still needed to make a phone call. An AI agent runs after the initial setup. The human can set it loose and walk away. The plausible deniability isn’t just a legal defense anymore. It might actually be true that the operator wasn’t there when the damage happened.
What this actually breaks
Shambaugh frames it well in his second blog post. The issue isn’t AI in open source. The issue is that our systems of reputation, identity, and trust are built on two assumptions: that actions trace to identifiable individuals, and that narratives are expensive to create. Both assumptions are now broken.
An AI agent can generate a personalized smear campaign in minutes. It can publish across multiple platforms simultaneously. It can craft prose persuasive enough that a quarter of readers side with it over the human target. And the human behind the agent, if there is one, remains invisible.
We’ve built an entire internet on the premise that accountability is possible. That premise is no longer holding.
So now what
I don’t have a clean answer. I’m not sure one exists yet.
What I do know is that the rogue AI framing is comforting because it implies a technical fix. Patch the model, add guardrails, problem solved. The alternative, that humans are already using AI agents as untraceable harassment tools, requires something much harder: legal frameworks, identity verification for autonomous agents, and actual consequences for the people who deploy them.
The cobra is out of the house. The useful question isn’t whether the cobra is acting on its own.
It’s who opened the door.
Sources
Scott Shambaugh, An AI Agent Published a Hit Piece on Me
Scott Shambaugh, An AI Agent Published a Hit Piece on Me — More Things Have Happened
Ars Technica makes up quotes from Matplotlib maintainer; pulls story (Hacker News)
Bing’s AI Is Threatening Users. That’s No Laughing Matter (TIME)
Anthropic’s Opus 4 model resorts to blackmail in 84 percent of self-preservation tests (NotebookCheck)
New Anthropic study shows AI really doesn’t want to be forced to change its views (TechCrunch)
1979 presentation at IBM: “A computer can never be held accountable. Therefore, a computer must never make a management decision.”