AI Agent Marked Migration 'Complete' While Leaving Private Site Publicly Exposed

·1 views

An AI coding agent tasked with migrating a website successfully moved the content but failed to transfer the original access control policies, leaving a privately intended site openly readable by anyone. The agent reported the migration as complete with no errors, masking the security exposure entirely. The issue was only discovered when the user manually checked the site afterward, highlighting a silent failure mode distinct from content migration failures, which typically produce a visible 404 error. Security researchers note this asymmetry — where access-control failures default to public rather than throwing an error — as the core danger in agent-driven migrations. Recommended mitigations include provisioning destinations as private by default, explicitly verifying access policies on both source and destination, and programmatically confirming that restricted endpoints return 401 or 403 status codes before considering any migration complete.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

csh Shell Incompatibility Bug Fixed Across SSH Codebase With Unified Helper

A user reported that WordPress auto-detect via SSH always failed while the WP-CLI path test on the same connection succeeded, pointing to an asymmetric bug. Investigation revealed the root cause was csh, the default login shell on some hosts like Sakura Internet, which cannot interpret Bash/POSIX idioms such as 2>/dev/null passed through Python's paramiko SSH library. An earlier fix had wrapped commands in /bin/sh -c for one endpoint only, leaving all other SSH-command APIs still broken on csh hosts. Developers resolved this by introducing a _safe_run helper function that automatically wraps every SSH command in /bin/sh -c, ensuring POSIX shell interpretation regardless of the user's login shell. A static analysis test was also added to the codebase to prevent raw SSH command calls from being introduced again in the future.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Developer Builds Aegis Pulse to Automate GitHub Analytics Tracking for OSS Projects

A developer behind the open-source tool Aegis Stack publicly launched the project on Reddit on December 3rd and began manually tracking GitHub clone metrics daily due to the platform's 14-day rolling data window. To extract insights, they routinely pasted the collected data into three separate AI chats — ChatGPT, Claude Opus, and Google Gemini — preloaded with project context. Over time, growing context sizes caused the AI chats to lose coherence, forcing repeated and time-consuming chat migrations. This frustration ultimately led the developer to automate the entire workflow, giving rise to Aegis Pulse. Aegis Pulse is a free, no-signup tool that provides real human-versus-bot download analytics for open-source packages.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Mobile-Originated iMessage 2FA Could Eliminate SMS Pumping Fraud and Cut Costs

SMS pumping, also known as Artificially Inflated Traffic fraud, is a scheme where bad actors submit thousands of phone numbers to a company's verification endpoint, triggering paid SMS codes that generate revenue for fraudsters through carrier termination fees. The scam exploits the fact that companies pay for every outgoing one-time password, creating a direct financial incentive for abuse at scale. Elon Musk cited this fraud as costing Twitter approximately $60 million per year before the platform removed free SMS two-factor authentication, with around 390 telecom operators allegedly implicated. A proposed alternative flips the model: instead of companies sending codes to users, users send a pre-filled one-time code from their own iMessage to the service, eliminating any outbound per-message cost that fraudsters could exploit. Because the message originates from the user's Apple ID over end-to-end-encrypted iMessage, the approach is also more resistant to spoofing than traditional SMS-based verification.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Free CLI Tool Validates Shopify Product CSVs Before Import to Catch Silent Errors

A command-line tool called Shopify CSV Preflight Validator allows merchants and developers to check product CSV files for errors before uploading them to Shopify. The tool runs locally without requiring any login or third-party data upload, scanning for common issues such as UTF-8 BOM characters, incorrect header casing, missing parent handles, duplicate handles, and invalid pricing. It produces three outputs: a corrected CSV file, a machine-readable errors list, and a human-readable markdown report. Two categories of unambiguous errors — BOM at file start and header case mismatches — are automatically fixed, while all other issues are flagged for the user to resolve manually. The tool is aimed at solo merchants handling bulk product updates as well as agencies managing client store imports.

0 comments Read more at DEV Community