5,000 vibe-coded apps just proved shadow AI is the new S3 bucket crisis

2026-05-08 · Source: VentureBeat · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Cloud Computing & IT Infrastructure · Depth: Intermediate, medium

Summary

New research from Israeli cybersecurity firm RedAccess reveals a significant security gap stemming from "vibe coding" platforms like Lovable, Base44, Replit, and Netlify. The firm identified 380,000 publicly accessible assets, including applications and databases, built using these tools. Approximately 5,000 (1.3%) of these assets contained sensitive corporate information, such as shipping manifests, clinical trial data, customer service conversations, and internal financial records. This exposure is largely due to default public privacy settings and the indexing of these applications by search engines. Independent verification by Axios and Wired confirmed these findings. This issue is exacerbated by "shadow AI," with IBM's 2025 report indicating that 20% of organizations experienced breaches linked to unsanctioned AI, adding $670,000 to the average breach cost.

Key takeaway

For CISOs and security leaders assessing their organization's attack surface, the proliferation of vibe-coded applications represents a critical, often invisible, risk. You should immediately implement discovery scanning for Lovable, Replit, Base44, and Netlify subdomains tied to corporate assets, block unauthenticated apps from internal data, and extend your existing AppSec and DLP pipelines to cover these deployments. Proactive measures are essential to prevent data breaches and regulatory non-compliance from these shadow IT deployments.

Key insights

Vibe-coded apps, often public by default, create a vast attack surface for sensitive corporate data.

Principles

• Default privacy settings dictate security posture.
• Security responsibility often shifts to non-technical users.

Method

RedAccess conducted DNS and certificate transparency scans to discover publicly exposed applications and infrastructure built on vibe coding platforms, then verified sensitive data exposure.

In practice

• Scan for corporate subdomains on vibe coding platforms.
• Implement DLP policies for vibe coding domains.

Topics

• Shadow AI
• Vibe Coding Platforms
• Data Exposure
• Citizen Development
• Application Security

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, Consultant

Related on AIssential

• The VibeSec Reckoning — AI-generated code often prioritizes ease over security; robust guardrails beyond prompts are essential to prevent systemic vulnerabilities.
• Vibecoded Malware Is Flooding the Internet — AI-generated malware evades static detection through varied code structures, lowering the barrier for threat actors and demanding a shift to behavioral analysis.
• The hidden cost of Google's AI defaults and the illusion of choice — Google's Gemini integration into core products presents privacy challenges through complex data usage and "dark patterns."
• Follow the AI Footpaths — Shadow AI reveals both significant organizational risks and valuable insights into unmet employee needs and potential efficiency gains.
• Lovable launches its vibe-coding app on iOS and Android — Lovable's AI app builder launches on mobile, adapting to Apple's "vibe-coding" app restrictions by using web-based previews.
• Vibe Code Workflow - Mistral AI — The Vibe Code Workflow offers cloud-based, persistent AI-driven code iteration on GitHub repositories.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.