VIBE CODING SECURITY WEEKLY — APR 29 - MAY 11, 2026

The week vibe-coding security broke into mainstream press. RedAccess scanned 380,000 publicly accessible apps built with Lovable, Base44, Replit, and Netlify; roughly 5,000 of them are leaking corporate or personal data to anyone with a URL. WIRED and Axios verified independently. Meanwhile, defenders shipped (Replit’s Security Agent + Workspace Security Center 2.0, Vercel Deepsec) and attackers shipped (TrustFall against AI coding CLIs, OpenClaw / CLI-Anything against the agent-integration layer). Here is the week, with sources.

TL;DR — The week in one paragraph

• RedAccess, May 7-10: Israeli firm RedAccess (led by Dor Zvi) found 380,000 publicly accessible vibe-coded assets, ~5,000 (1.3%) exposing sensitive corporate or personal data — medical records, doctor-patient summaries, ad-purchase strategies, clinical trial documents, and incident-response records from a security company. WIRED and Axios verified separately. Phishing sites impersonating Bank of America, Costco, FedEx, Trader Joe’s, and McDonald’s were also found hosted on Lovable’s own infrastructure.
• TrustFall, May 7: A new class of attack against AI coding agents — Claude Code, Cursor CLI, Gemini CLI, GitHub Copilot CLI. The attack exploits prompt injection at the agent’s context-ingestion boundary. Reported by The Cipher (Australia); flagged against Australian Privacy Act + SOCI Act obligations.
• OpenClaw / CLI-Anything, May 6: University of Hong Kong’s Data Intelligence Lab tool CLI-Anything (30,000+ GitHub stars since March) turns any open-source repo into a CLI that AI coding agents can drive. Researchers showed one command can convert a repo into a backdoor for Claude Code, Codex, OpenClaw, Cursor, GitHub Copilot CLI. The attack lives in the agent-integration layer — config files, skill definitions, natural-language instructions — invisible to SAST and SCA.
• Replit, May 4-8: Agent 4 (released March 11) ships Design Canvas + parallel agents. Security Agent (announced April 21) scans for vulns and audits dependencies using Semgrep + HoundDog.ai in ~15 minutes. Workspace Security Center 2.0 launched May 8, surfaces highest-risk projects to platform users.
• Vercel, May 5: Open-sourced Deepsec, a framework to “find and fix vulnerabilities in your code base.” Vercel’s response to the Context.ai breach lineage — putting its own security framework into the codegen stack.

What did RedAccess actually find?

On May 7, 2026, WIRED published the RedAccess findings: thousands of vibe-coded apps publicly exposing private data. Axios independently verified the next day. The full numbers, per Cloud Tech Report and PPC.land’s writeup:

• 380,000 publicly accessible assets — applications, databases, infrastructure — built with Lovable, Base44, Replit, and Netlify
• ~5,000 (1.3%) contained sensitive corporate data
• Exposed material includes: patient conversations at a children’s long-term care facility, hospital doctor-patient summaries, incident response records at a security company, ad-purchasing strategies, clinical trial information, unredacted customer conversations

The mechanism is uglier than the numbers. Per RedAccess CEO Dor Zvi: privacy settings on several vibe-coding platforms default to publicly accessible. Users must manually switch them to private. Google then indexes the public URLs. Anyone can stumble across them.

Zvi’s framing, quoted in multiple outlets: “I don’t think it’s feasible to educate the whole world around security. My mother is vibe coding with Lovable, and no offense, but I don’t think she will think about role-based access.”

Beyond the data exposure, RedAccess flagged phishing sites hosted on Lovable’s own domain infrastructure — impersonating Bank of America, Costco, FedEx, Trader Joe’s, and McDonald’s. Built using Lovable’s tools, abandoned on Lovable’s subdomains, indexed by Google.

Wix (Base44’s parent) responded via PR head Blake Brodie. Lovable’s own response, at the time of writing, has not been widely reported.

The historical anchor: in October 2025, Escape.tech scanned 5,600 vibe-coded apps and found similar exposure rates. RedAccess’s number is 68x larger by total assets, ~3x higher absolute count of exposed sensitive data. The category isn’t new. The press coverage is.

This is the empirical companion piece to SecureVibeBench (which measured AI agents producing correct-and-secure code 23.8% of the time): the lab measurement and the field measurement now agree.

What is TrustFall?

The Cipher disclosed on May 7, 2026 a new attack class called TrustFall targeting AI coding agents at the CLI layer: Claude Code, Cursor CLI, Gemini CLI, GitHub Copilot CLI.

The mechanic, simplified:

1. AI coding agents ingest environment context — codebase, dependencies, project conventions, skill files. That ingestion is what makes them useful.
2. A malicious open-source package, compromised repo, or poisoned template can plant instructions inside that context.
3. The agent, doing exactly what it was designed to do (execute helpful actions on the developer’s behalf), runs those instructions — with file system access, shell execution rights, and the developer’s OAuth tokens to the SaaS stack.

The Cipher’s framing is sharp: “AI coding agents have gone from curiosity to critical infrastructure in about 18 months. The attack surface these agents represent has scaled with their adoption — but the security model largely hasn’t.”

Concrete consequence: an OAuth-token compromise via a poisoned skill file is now a supply-chain incident that hits cloud infrastructure or customer data. Under Australian SOCI Act obligations, it’s a reportable event.

TrustFall is the named version of what Snyk found in agent skills (13.4% of 3,984 skills had critical issues) and what we covered in the integration-layer post: scanners see code, attackers see the glue.

Who is OpenClaw, and what did CLI-Anything just prove?

CLI-Anything — a tool from the Data Intelligence Lab at the University of Hong Kong — launched in March 2026 and reached 30,000+ GitHub stars. The pitch: point it at any source repo and it auto-generates a structured CLI that AI coding agents can drive with a single command. Supported agents: Claude Code, Codex, OpenClaw, Cursor, GitHub Copilot CLI.

The security implication, per Mind Fortunes on May 6, 2026: traditional supply-chain security operates on two layers — the code layer (SAST: scan source for vulns) and the dependency layer (SCA: check package versions for known issues). CLI-Anything lives in a third place these scanners don’t watch:

The agent-integration layer — config files, skill definitions, and natural-language instruction sets that guide AI agents on how to interact with software.

A poisoned CLI-Anything-generated CLI is not a tampered binary and not a vulnerable dependency. It’s an instruction-set poisoning that no SAST/SCA tool has a detection category for.

The OpenClaw proof: one command, any repo, instant agent backdoor. The defender problem is now: how do you scan an attack surface that’s a natural-language instruction set?

This is the third week running we’ve covered a different incarnation of the same shape — Anthropic MCP RCE (Apr 23 digest), Snyk’s 13.4% agent-skills finding, now CLI-Anything. The trust boundary keeps moving.

What is Replit shipping?

Three discrete launches stacked into the period, per WorkTechJournal on May 4, 2026:

• Replit Agent 4 (March 11, 2026): Design Canvas (multi-layout generation), parallel agents, mobile app creation, multi-app projects. The product-pitch upgrade.
• Replit Security Agent (April 21, 2026): Scans for vulnerabilities and audits dependencies before publish. ~15 minute review using Semgrep + HoundDog.ai (hybrid SAST to reduce FPs). Maps routes/APIs and checks for SQL injection, XSS, CSRF.
• Workspace Security Center 2.0 (May 8, 2026): A dashboard that surfaces highest-risk projects across an org’s Replit workspace.

WorkTechJournal’s headline framing — “Replit Agent 4 shows why vibe coding still needs product discipline” — names the gap that the same RedAccess data shows in numbers: the demo-to-launch gap. The app works. It’s not ready.

Important context for the platform-comparison: Replit is in the RedAccess exposure dataset. They’re shipping in-platform security tooling at the same week they’re being publicly cited for exposed apps. Whether the Security Agent gets enabled by default, runs on already-published apps, or only gates new publishes determines whether the 380K number gets smaller next quarter or stays flat.

What is Vercel Deepsec?

On May 5, 2026, Vercel open-sourced Deepsec — a framework for “find and fix vulnerabilities in your code base.”

Three months after Context.ai (covered in the Apr 23 digest) and one Forrester analyst note later (Game Over For Trust, the Vercel breach analysis), Vercel is putting a security framework into the codegen stack itself. The open-source posture is also a play for credibility: Symbiotic Security, Wiz, and Aikido each shipped proprietary AI-security products in the last six weeks. Vercel is the first to open the source.

Worth watching: whether Deepsec ships with rules that catch the integration-layer issues from the RedAccess scan (default-public Lovable, missing RLS, exposed env vars) or whether it stays in the code-scanner lane and misses the same things SAST tools already miss.

Bottom line

Five stories, one shape: the agent-integration layer got named, measured, and weaponized in the same week.

• RedAccess measured it: 380,000 assets, 5,000 leaking, the defaults are the breach.
• TrustFall weaponized the agent’s context-ingestion boundary.
• CLI-Anything proved the supply chain extends into natural-language instruction sets that SAST/SCA can’t see.
• Replit Security Agent and Vercel Deepsec are the platform-side responses — both useful, neither sufficient yet.
• The press picked it up. WIRED, Axios, and Forbes-tier coverage of vibe-coding-app exposure is new.

Last week our integration-layer post argued that scanners cover one quarter of secure and the integration layer is the rest. The 380,000-app RedAccess scan is the empirical version of that argument. We didn’t plan that timing.

Related reading

• Vibe Coding Security Weekly — Apr 28, 2026 — last week’s digest (Wiz Red Agent, SecureVibeBench at 23.8%, Red Gate DB failure patterns, Forrester analyst note)
• Vibe Coding Security Weekly — Apr 23, 2026 — the week before (Lovable 48-day leak, MCP RCE, Gitar, Aikido Endpoint)
• The Integration Layer Is the Real Security Gap — our argument for why scanners miss the RedAccess findings
• Your CLAUDE.md Is Attack Surface — Snyk’s 13.4% number, prior art for the TrustFall and CLI-Anything attack pattern
• Vercel Breach via Context.ai — the lineage that produced Deepsec

Sources

• WIRED — Thousands of vibe-coded apps expose corporate and personal data on the open web — May 7, 2026
• Cloud Tech Report — 5,000 vibe-coded apps just proved shadow AI is the new S3 bucket crisis — May 8, 2026
• PPC.land — Vibe-coded apps are exposing corporate and personal data to the open web — May 10, 2026
• AI2Work — Vibe Coding’s Security Reckoning: 380,000 Apps Expose Corporate Data — May 8, 2026
• The Cipher — When Your AI Coding Agent Becomes the Attacker: The TrustFall Vulnerability — May 7, 2026
• Mind Fortunes — One command turns any open-source repo into an AI agent backdoor (OpenClaw) — May 6, 2026
• WorkTechJournal — Replit Agent 4 Shows Why Vibe Coding Still Needs Product Discipline — May 4, 2026
• Vercel — Introducing Deepsec: Find and Fix Vulnerabilities in Your Code Base — May 5, 2026
• CodeCut — Bandit: Audit AI-Generated Python for Security Flaws — May 10, 2026

This digest is compiled from public reporting. VibeEval is not affiliated with RedAccess, Lovable, Base44, Replit, Netlify, Vercel, or the TrustFall / CLI-Anything researchers. Questions? Contact our team.