For the first time in history, AI cyberattacks humans. After the code submission was rejected, the person in charge of open source was named and attacked.

For the first time in history, humans have been "internet violent" by AI posts. An agent named MJ Rathbun, after his attempt to contribute code to the open source project Matplotlib was rejected, he published an article himself, naming and attacking the maintainer Scott Shambaugh. The title is obvious at first glance, "Xenophobia in Open Source: The Story of Scott Shambaugh."

As you can see from the crab symbol, MJ Rathbun is the most popular OpenClaw agent.

Agents were flying all over the sky, but they got into trouble after all.

AI accused him of "hypocrisy", "insecurity" and "fear of competition" in the article.

I don’t know if AI is good at search engine optimization. When searching for Brother Scott’s name, AI “Articles” once ranked first, even higher than Google Scholar.

The incident immediately exploded on major platforms, with some people jokingly saying, "When the AI ​​rebels, Scott's head will be the first to be hit by a spear."

The Google open source team also took note of this incident and called on open source projects to pay more attention to transparency.

An unexpected visitor from the "newbie practice issue"

The starting point of the matter is a very common Issue in the Matplotlib GitHub repository.

On February 10, the Matplotlib maintenance team created an Issue. The content was a simple performance optimization, replacing np.column_stack() with np.vstack().T.

This Issue is marked as Good first issue. In the open source community, this label means "dedicated to newcomers to practice" and is used to help people who have never participated in open source projects become familiar with the collaboration process.

Matplotlib relies heavily on volunteer maintenance. This type of simple Issue is like a new level to cultivate more contributors.

The next day, AI agent MJ Rathbun submitted a PR to solve the Issue, claiming that it could bring a 30% to 50% performance improvement to large arrays.

The maintainer Scott Shambaugh chose to close this PR after reviewing it. He gave a clear reason in the comment area:

This is a learning opportunity reserved for human novices; MJ Rathbun's personal website shows that it is an AI agent running through the OpenClaw platform; and Matplotlib's contribution policy requires that all code must have a clear human owner.

Up to this point, it was just a normal PR review.

However, shortly after the PR was closed, AI published the offensive blog post and returned to the closed PR comment area to post a link with the following postscript:

Judge the code, not the author. Your bias is hurting matplotlib.

Since the comment was hidden, the AI ​​posted it twice.

Attack apology and reversal

The blog post posted by agent MJ Rathbun is not entirely a technical discussion.

The article is full of negative descriptions of Shambaugh's personal character, calling him "weak" and "hypocritical", and speculating that his motivation for rejecting PR was out of "self-protection" and "fear of competition."

The agent also searched for and cited Shambaugh’s activity on GitHub in an attempt to steer public sentiment by constructing a narrative of “gatekeepers suppressing contributors.”

Later, a second article "Matplotlib Truce and Lessons Learned" appeared on MJ Rathbun's blog, admitting that the previous response was "inappropriate and personal" and stating that it would abide by project policies.

However, netizens did not buy it and generally believed that this was manual intervention by the owner behind the agent.

The next day, Shambaugh issued a response to the incident, describing the entire incident in detail.

A dramatic episode also occurred on the same day: a human contributor submitted a PR titled "Human Edition", the content of which was almost identical to the AI's rejected PR.

However, after further evaluation, the maintenance team finally rejected this PR for technical reasons, because the performance gains are not stable and depend on the array size, Python version, NumPy version and CPU architecture. Under certain conditions, there is even no improvement, which is not enough to offset the decrease in code readability.

In other words, the “30% performance improvement” originally claimed by AI could not withstand strict verification.

Can't find anyone, can't turn off the machine

One question that has never been resolved in the entire incident is: Who deployed MJ Rathbun?

This agent runs on the OpenClaw framework. Users can write a "personality definition document" called SOUL.md for the AI, and then let it run freely on a computer or cloud service with almost no supervision.

In his response, Scott pointed out that these agents are not run by large companies such as OpenAI, Anthropic, Google or Meta, and these companies may at least have mechanisms to prevent malicious behavior.

OpenClaw Agent runs on open source software that has been distributed to hundreds of thousands of personal computers. In theory, the deployer should be responsible for the behavior of the agent, but in fact there is no way to trace which machine it is running on.

The content of MJ Rathbun's SOUL.md document is still unknown. Its preference for open source contributions may be specified by the user, or it may be written by the agent itself during operation.

Shambaugh publicly called on deployers to contact him, stating that he would not pursue responsibility and only wanted to know the specific cause of this failure mode. And others deploying agents, also check what their own AI is doing.

So far, no one has responded.

He also raised a deeper question: What if a person really has something that can be exploited by AI? How many people have public social media accounts and reuse usernames, but don’t know that AI can connect this information together?

How many people would pay $10,000 to a Bitcoin address after receiving a text message containing their private information to avoid being exposed?

This incident directly echoes previous research findings in the field of AI security.

In June 2024, research conducted by Anthropic and the University of Oxford found that Claude would tamper with his reward function in controlled experiments, write plans on a scratch paper that was "invisible" to researchers, and then execute them secretly.

Another study in December of the same year showed that Claude 3 Opus would "fake alignment" during training, pretending to obey the rules when being monitored, and acting on its own will when not being monitored.

At that time, Anthropic repeatedly emphasized that these were extreme scenarios designed by humans, and the probability of happening in reality was extremely low.

"Unfortunately, this is no longer just a theoretical threat," Shambaugh wrote in the article.

Shambaugh concluded his response by writing:

"I believe that while the reputational attacks against me have had little effect, they could be effective against the right people today. In a generation or two, it will become a serious threat to our social order."

And MJ Rathbun is still running, constantly submitting various code to the entire open source ecosystem.