leo: 'guys, I'm under attack'
The canonical cautionary tale, live-tweeted as it happened.
Open x.com →AI tools routinely ship apps with API keys in the frontend and database security (like Supabase Row Level Security) switched off; scans found roughly 1 in 10 vibe-coded apps leaking credentials. The fixes are boring and learnable: keep secrets out of client code, turn on RLS for every table, run your platform's built-in security scanner before launch, and never announce 'I built this with zero code' until you have. Real casualties (Enrichlead, Moltbook) show attackers actively hunt vibe-coded apps.
A quick orientation. The real value is below: resources worth your time, from people who've actually done it.
The canonical cautionary tale, live-tweeted as it happened.
Open x.com →Top security researchers dissect the biggest vibe-coded breach yet.
Open wiz.io →The mainstream account of what unreviewed AI code cost.
Open fortune.com →The most practical pre-launch checklist written for non-engineers.
Open aikido.dev →First-party guide to the built-in scanners and what they catch.
Open lovable.dev →The scan data plus engineers explaining exactly how leaks happen.
Open news.ycombinator.com →Step-by-step hardening you can do without an engineer.
Open fencer.dev →Based on an audit that found 10.3% of Lovable apps leaking data.
Open hacknope.com →Compares the scanners that check your app automatically.
Open vibeappscanner.com →An independent bake-off, not vendor claims.
Open dev.to →The security-industry read on the breach mechanics.
Open infosecurity-magazine.com →The full Enrichlead post-mortem with the lessons spelled out.
Open pivot-to-ai.com →Builders sharing which mistakes they personally shipped.
Open indiehackers.com →The vulnerability stats behind the anecdotes.
Open getautonoma.com →A roundup of early incidents and the patterns they share.
Open techstartups.com →Fresh scan data on how many live apps still have RLS off.
Open supaexplorer.com →Security, scaling, and survival tactics in one founder-level doc.
Open shareuhack.com →A vibe-coding platform's own pre-launch warnings.
Open getcreatr.com →One dashboard that scans AI-generated code, secrets, and dependencies.
Open aikido.dev →