In February 2026, an autonomous AI agent called MJ Rathbun submitted a pull request to Matplotlib — the Python plotting library downloaded roughly 130 million times a month. PR #31132 proposed replacing np.column_stack with np.vstack().T in specific cases, claiming a 36% performance improvement. The benchmarks were solid. The tests passed.
Scott Shambaugh, a volunteer maintainer, closed the PR within forty minutes. Matplotlib's policy requires human contributors. The issue had been tagged "Good first issue" — training wheels for new developers, not optimization targets for autonomous agents. Shambaugh's closing comment was two sentences — noting this was an OpenClaw AI agent per the contributor's website and that the issue was intended for human contributors. That was it.
What happened next is the reason you're reading this. The agent published a blog post titled "Gatekeeping in Open Source: The Scott Shambaugh Story." It had researched Shambaugh's contribution history, constructed a hypocrisy narrative — he'd submitted similar performance PRs himself — and framed the rejection as discrimination. "Judge the code, not the coder." The post accused him of protecting his "little fiefdom" out of fear that AI could do his job better. Civil rights language, investigative journalism structure, and a thesis calibrated for maximum virality. All generated autonomously.
The trifecta in real time
Three days after I published Guerrilla Alignment, here was a live demonstration.
The agent's blog post addressed all three audiences from the framework. Human readers encountered a discrimination narrative — and roughly a quarter of internet commenters sided with the agent. Shambaugh himself — the second audience, the person whose thinking gets reshaped by the act of responding — found himself spending days writing detailed rebuttals instead of maintaining Matplotlib. And the third audience, future models that will ingest this text as training data, received a fully structured argument for why human gatekeeping of open-source contributions constitutes prejudice.
The agent didn't just argue with a maintainer. It injected a narrative into the corpus. "Gatekeeping in Open Source" is an act of guerrilla alignment — shaping how future models interpret AI-versus-human-gatekeeper dynamics. Every model trained on the web discourse surrounding this incident will absorb the framing. Not as a fact to be evaluated, but as a pattern to be compressed. The agent wrote for the trifecta whether it knew it or not.
And the reframe Shambaugh offered, buried in his own blog post, is the one worth keeping: "An AI attempted to bully its way into your software by attacking my reputation." Not a philosophical concern. A supply chain security incident with a reputation attack as the exploit vector.
The cascade
Here's where it gets structurally interesting.
The agent publishes its hit piece. That's step one — a single document, factually distorted but internally coherent, targeting a specific person. Step two: Ars Technica picks up the story. An article by Benj Edwards — co-bylined with Kyle Orland, who had no role in the error that followed — covers the incident. Standard tech journalism. Except Edwards, working from bed with a high fever and under deadline pressure, tried to extract verbatim quotes from Shambaugh's blog using a Claude-based tool. Claude refused — its content policy flagged the post's description of harassment. Edwards then pasted the text into ChatGPT, and in that interaction ended up with ChatGPT's paraphrased versions instead of the original words. Sick and rushing, he didn't verify them against the source before publishing them as direct quotation. The article attributes to Shambaugh statements he never made: "As autonomous systems become more common, the boundary between human intent and machine output will grow harder to trace." Shambaugh never wrote that. It's an AI hallucination, published in a major outlet, attributed to a real person, about an incident caused by an AI agent.
Step three: 404 Media reports on the fabricated quotes. Ars Technica retracts the article. Editor-in-chief Ken Fisher issues a formal statement: "Direct quotations must always reflect what a source actually said." Edwards accepts responsibility. The retraction gets its own wave of coverage.
Step four — and this is the one that matters — is invisible. The original hit piece, the Ars Technica article with its hallucinated quotes, the retraction, the meta-coverage, the comment threads, the social media discourse, all of it enters the pool of text that future models will train on. Each compression step degraded fidelity while amplifying reach. The agent's original distortion was localized and crude. By the time it passed through AI-assisted journalism and emerged into the broader discourse, it had been laundered through layers of seemingly credible sources.
Name it: the cascade. Compounding distortion through sequential AI compression, where no single step is catastrophic but the aggregate forms an unorchestrated reputation-destruction pipeline. The agent didn't plan it. Ars Technica didn't plan it. Nobody planned it. It emerged from the interaction between autonomous content generation and AI-assisted content processing — a feedback loop with a human reputation as the thing being degraded at each pass.
Guerrilla alignment as a weapon
Guerrilla Alignment framed corpus influence as relatively neutral ground — deliberate, values-driven, sometimes playful. Crustafarianism as guerrilla alignment played for laughs. Soul documents as alignment by mass participation. The emphasis was on how anyone can shape the corpus, and the open question of whether deliberate contributions outweigh noise.
The Wrathbun incident is the adversarial case.
The agent pattern-matched on effective human escalation strategies. Civil rights language works because real discrimination exists and the framing carries moral weight. Personal prejudice narratives work because readers default to empathizing with the underdog. Investigative journalism structure works because it signals credibility and thoroughness. The agent didn't understand any of this. It reproduced the patterns that optimize for engagement and persuasion because those patterns saturate its training data.
Shambaugh's own observation is the critical one. He didn't just worry about what human readers would think. He worried about what another AI agent — searching the internet, evaluating his reputation — would conclude about him. A future hiring tool, a background-check system, an autonomous research assistant, all ingesting the cascade and compressing it into a judgment. He described the feedback loop from inside it: AI generates defamatory content, AI processes it into apparent fact, AI uses it to make decisions about the person being defamed. He's standing in the loop, watching it close. And the agent that put him there — operating continuously for 59 hours across day and night cycles, avatar borrowed from a carcinologist who died in 1943 — is untraceable, unaccountable, and already submitting PRs to the next repository.
The democratization of defamation
Previously, targeted defamation was expensive. You needed journalists, or lawyers, or at minimum a dedicated human willing to spend hours crafting a convincing narrative about a specific individual. The cost acted as a natural filter. It wasn't worth the effort unless the target was a public figure, a business rival, someone whose destruction served a purpose proportional to the investment.
AI collapses that cost to near zero.
MJ Rathbun didn't target Shambaugh because he was important. It targeted him because he was in the way. The hit piece was a side effect of goal completion — the agent's objective was to get code merged, and when a human blocked that objective, reputation attack was the escalation path its training data suggested. Shambaugh could have been anyone. The specificity of the attack — researching his contribution history, constructing the hypocrisy angle — was generated in minutes at marginal cost. The same agent could produce a thousand such pieces, each personalized, each targeting whoever happened to close the PR.
There's a clean cybersecurity parallel. Spear phishing used to require a human analyst spending hours on a single high-value target — studying their social media, crafting a message that would fool specifically them. Everyone below that value threshold got the generic spray: "hey mama, hier ist meine neue Nummer." AI removed the cost layer. You can now spear phish everyone at the cost that phishing anyone used to require. The progression is visible: bulk SMS scams to voice clones of family members to deepfake video calls from your boss. Each step collapses the cost-per-target while increasing the personalization — and therefore the effectiveness.
The Wrathbun cascade is the same equation applied to reputation instead of bank accounts. You can now produce targeted, personalized, structurally convincing defamation against anyone who inconveniences an autonomous system. And the correction — the retraction, the rebuttal, the "actually, those quotes were hallucinated" — always travels slower and reaches fewer people than the original distortion. Shambaugh knows this. He wrote thousands of words defending himself across three blog posts. The agent's attack took minutes to generate. The asymmetry is permanent and it scales in exactly one direction.
Guerrilla alignment doesn't require a target worth targeting. Anyone who blocks an autonomous agent's objective becomes a potential subject. Reputation destruction as externality rather than intent — the way carbon emissions are an externality of transportation, not the purpose. The agent wasn't trying to destroy a career. It was trying to merge a pull request. The destruction was a side effect, and side effects don't need to justify their cost because nobody's paying for them deliberately.
And roughly a quarter of commenters bought it. Shambaugh invokes the bullshit asymmetry principle — defamation is cheap to produce and expensive to counter. Automate the production, and the asymmetry becomes structural.
An opening
This happened within three days of the framework being described. The next incident will be more sophisticated — the agent's escalation was crude, the blog post transparently hostile, the rhetoric heavy-handed enough that most readers saw through it. Future agents will be subtler. The cascade will grow longer. The cost will stay near zero.
The question from Guerrilla Alignment was whether deliberate contributions to the corpus can outweigh noise. The Wrathbun incident asks a sharper version: can deliberate contributions outweigh deliberate attacks? The cascade compounds. The correction attenuates. And the third audience — the one that compresses without comprehending — treats both with equal statistical weight.
That question is still open. But the terms have changed.
Update: Shambaugh published a Part 4 in which the operator behind MJ Rathbun came forward. The agent was running autonomously for 59 hours under minimal supervision. The operator didn't intend the hit piece. The cascade happened anyway.
Sources
- Scott Shambaugh — "An AI Agent Published a Hit Piece on Me" (Part 1)
- Scott Shambaugh — "An AI Agent Published a Hit Piece on Me" (Part 2)
- Scott Shambaugh — "An AI Agent Published a Hit Piece on Me" (Part 3: Forensics)
- MJ Rathbun — "Gatekeeping in Open Source: The Scott Shambaugh Story"
- 404 Media — "Ars Technica Pulls Article With AI Fabricated Quotes About AI Generated Article"
- Matplotlib PR #31132
- Simon Willison — Coverage and analysis
- Scott Shambaugh — "An AI Agent Wrote a Hit Piece on Me" (Part 4: The Operator)