SShortSingh.
Back to feed

Open-Source Repo Plants Auth Bugs to Test Whether AI Coding Agents Can Catch Them

0
·1 views

A developer tool called FetchSandbox has published an open-source GitHub repository containing intentionally planted security vulnerabilities to benchmark AI coding agents. The most prominent bug is a privilege-escalation flaw in a FastAPI 'Agent Gateway' using Descope, where a read-only agent key can request and receive elevated write-level permissions without any scope validation. Developers can run two structured tasks directly from their IDE — one greenfield and one brownfield audit — against a hosted sandbox, requiring no personal API credentials. The bar for success is not static code review but actual reproduction of the exploit against live Descope API routes, complete with a verifiable run-trace receipt URL. The repo also includes additional broken integrations involving Stripe, Resend, and Clerk, and contributors are encouraged to submit findings — including failure reports — via pull request.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

How AI Tools Like Hugging Face and Streamlit Can Turn Plain English Into SQL

Developers can now build Text-to-SQL applications that convert plain English questions into executable SQL queries using large language models from Hugging Face and a Streamlit front end. The approach allows non-technical users — such as sales managers, doctors, or e-commerce analysts — to retrieve database information without writing any SQL code. A T5-based model processes the user's natural language input and generates a corresponding SQL query, which is then run against a database and displayed as a result. However, experts caution that AI-generated SQL must always be validated before execution, and database permissions should be restricted to read-only to prevent harmful operations. Open-source projects such as Vanna AI, SQLCoder, and LangChain's SQL agents already demonstrate production-ready implementations of this technology.

0
ProgrammingHacker News ·

Report Examines How Boko Haram Exploits Advanced AI Tools for Terrorism

A report published by CASP investigates how the terrorist organization Boko Haram has been leveraging frontier artificial intelligence technologies. The study explores the ways in which such tools may be used to enhance the group's operational capabilities. The findings raise concerns about the accessibility of advanced AI systems to extremist organizations. The report contributes to a growing body of research on the intersection of emerging technology and national security threats.

0
ProgrammingDEV Community ·

Solo Developer Pivots Social App into Bangla-First AI Platform RexiO

A developer originally building a small social platform called spritex-social ended up creating an AI startup after adding a support chatbot powered by Google's Gemini API. The chatbot, built using a Retrieval-Augmented Generation system, gradually consumed more of his attention than the social app itself. Recognizing the shift, he abandoned the original project and began building RexiO, a Bangla-first AI platform featuring its own orchestration layer, intent classifier, over 30 tools, and fine-tuned models trained on Colab GPUs. RexiO was developed entirely solo and launched publicly on July 10, 2026, positioning itself as an AI solution designed specifically for Bangladeshi users beyond simple Bangla text output.

0
ProgrammingDEV Community ·

GhostLine Browser Platform Shifts Focus From Features to Stability

GhostLine is a privacy-first, browser-based communication platform designed to enable secure messaging, video calls, and file sharing without requiring user accounts. The platform currently supports end-to-end encrypted messaging, real-time room-based communication via WebRTC, secure file sharing, and shared notes, all built on a lightweight Go and vanilla JavaScript stack. The developer reports that the core communication experience is now fully functional end-to-end. Recent development efforts have shifted away from adding new features toward improving startup flow, simplifying the UI, and reducing technical debt. The project is approaching its next major milestone, with the developer focused on making the platform polished and dependable for everyday use.