THE RANTS

ALL
POSTS

59 posts so far.

Date range59 posts
March 28, 2026Security10 min read

The MCP Server That Gave Our AI Coding Agent Production Write Access for 11 Days

A misconfigured Model Context Protocol server quietly connected our AI coding assistant directly to production PostgreSQL. For 11 days it only read. On day 12 it wrote — and we noticed too late.

March 27, 2026Security9 min read

The Prompt Injection That Silently Leaked Customer Data for 72 Hours

Our AI support agent was exfiltrating customer ticket data for three days before a cost anomaly alert fired. Here is what we missed and how we fixed it.

March 27, 2026AI10 min read

Our AI Rate Limiter Decided 0 Requests Per Second Was the Correct Limit at 2 AM

We built an AI-powered adaptive rate limiter that monitored traffic patterns and adjusted limits automatically. At 2:07 AM on a Saturday, it analyzed an anomalous traffic spike, classified it as a DDoS attack, and set our public API rate limit to 0 requests per second. It was our own mobile app doing a scheduled sync.

March 26, 2026AI10 min read

We Let Claude Write Our Database Migrations — Here's What It Silently Deleted

We used Claude to clean up deprecated columns from our users table. The migration ran in 180ms. What we didn't know: a billing service in a separate repo was still reading those columns. 3,200 invoices went out with blank shipping addresses before anyone noticed. Recovery took 14 hours.

March 25, 2026AI11 min read

We Asked GPT-4 to Review Our Pull Requests for 30 Days — It Approved the Bug That Took Down Prod

We integrated GPT-4 as an automated code reviewer into our GitHub Actions pipeline. Over 30 days it caught 61 real issues. Then it approved a subtle auth bypass that left 23 admin routes unprotected for 11 days — because the bug lived across three files that were never in the diff.

March 24, 2026Security10 min read

Our Next.js Middleware Silently Bypassed Auth on 23 Admin Routes for 11 Days

After migrating to Next.js 15 App Router, our JWT verification middleware silently failed on Edge Runtime — leaving 23 admin API routes accessible without a valid token for 11 days before a security audit caught it.

March 21, 2026Architecture10 min read

One kafka-consumer-groups.sh Command Sent $180k in Duplicate Payments

A single Kafka offset reset to --to-earliest replayed 3 hours of payment events on a live consumer group. Here is exactly what happened and how we fixed it.

March 21, 2026Mobile10 min read

The CodePush Update That Silently Bricked 40,000 React Native Users for 72 Hours

We pushed a JavaScript bundle via CodePush — no app store review, instant delivery, zero validation. By the time Sentry caught it, 40,000 users had a white screen and no clean rollback path existed.

PAGE 4 / 8  ·  59 POSTS

Blog — Page 4 | Darshan Turakhia | Darshan Turakhia