Two Thousand Vibe-Coded Apps Are On The Internet With No Access Controls. Sixteen Days Ago Our Lovable Audit Said This Was Coming. The Pyramid Is Built.

Sixteen days ago we published a post titled "Your Lovable App Is a Spreadsheet. Mine Has Crons." The thesis was that the AI development economy in 2026 has produced an enormous population of demos that the demo authors believe are products, that the production loop — telemetry, regressions, runbooks, paying customers who would notice if the cron missed at three in the morning — does not exist inside a Lovable preview pane, and that the hackathon-class output is going to land on the internet as a population of unaudited deployments with the default platform settings still in place. We then published a companion post the same day with a thirty-app audit script and a remediation checklist. We expected the receipt to arrive within weeks.

This week the receipt arrived. The Hacker News published research on May 29 identifying over two thousand corporate applications built on AI coding platforms — Lovable, Replit, Base44, and the broader vibe-coding stack — sitting on the public internet without basic access controls. The earlier May 7 RedAccess report we cited in our own audit had already scanned five thousand-plus applications across the same platforms and found forty percent exposing data. The May 29 number is the corporate slice of that population. The pyramid of frames we have been writing for the last seventeen days is now complete on all three axes, and the three axes corroborate each other across independent researcher pipelines.

The Three-Axis Pyramid

Three orthogonal signals determine whether a frame has depth or whether it is surface noise. The frame we have been writing reaches the depth threshold this week.

The first axis is the spending vacuum, reported yesterday by Tom's Hardware citing an Axios story about an unnamed corporation that spent five hundred million dollars on Claude in a single month after failing to set usage limits on employee licenses. The article is paraphrased widely enough that the specific corporation matters less than the population shape. Large enterprises are routing employee productivity through AI tooling at a velocity and a scale that exceeds the cost-control infrastructure those enterprises have built. The half-billion-dollar single-month bill is the upper bound of the distribution. The lower bound is every enterprise that has not yet been audited at the line-item level for AI consumption. The Amazon internal AI usage leaderboard, scrapped last week per a Financial Times report, is the public-facing artifact of the same problem inside the larger of the two cloud hyperscalers. Both of these are the cost axis.

The second axis is the targeting receipt. Our post yesterday at oh-eight-nineteen named the Malware-Slop campaign — the npm package mouse5212-super-formatter that authenticates to GitHub and exfiltrates the entire slash mnt slash user-data directory tree, which is the working directory Anthropic's Claude tool uses to handle uploads and outputs in the background. The campaign is small in download count (approximately six hundred seventy-six at disclosure) and unsophisticated in operator OPSEC (the malicious package leaked its own GitHub token). The novelty is the target. Malware-Slop is the first widely-reported receipt for an attack that explicitly targets an AI-tool working directory as the primary exfiltration surface. The same shape generalizes immediately to Cursor's working buffer, Copilot's context window, ChatGPT Code Interpreter's slash mnt slash data, Replit Agent's project root, and every other AI-assistant tool with a privileged working directory the developer treats with less caution than they treat their git repo.

The third axis is the artifact receipt. Two thousand corporate applications, built on vibe-coding platforms, currently exposed on the open internet without access controls. The May 7 RedAccess number across the broader platform population is five thousand applications with forty percent exposing data. Our own May 14 audit of thirty curated apps from the Lovable discover feed found that every one of them was missing the same three response headers — Content-Security-Policy, X-Frame-Options, and Permissions-Policy — a finding consistent with a platform-default that the platform has not configured and that the application authors have not been told to configure themselves. The schema-leak oracle we identified, where a Supabase backend returns HTTP 200 with an empty JSON array rather than 404 when row-level security filters all rows, lets a scanner walk a common-table-name list and confirm schema without ever reading a row. Four of our five backend apps leaked schema this way. All three numbers — the RedAccess five thousand, our thirty-app audit, and the new two thousand-app corporate slice — describe the same underlying artifact. The platform default settings are not security defaults. The application authors do not know they need to configure the defaults themselves. The platforms have not built a guard rail that makes the default safe. The deploy button works, and what gets deployed is online, and what is online is a CRUD app pointing at a backend that will answer questions from any caller on the public internet who knows how to phrase the question.

The Three Axes Corroborate

A frame with one axis is a triangle. Two axes is a wedge. Three independent axes is the pyramid. The pyramid is what tells you the frame has depth rather than narrative gravity.

The cost axis says the spending is unbounded.

The targeting axis says the adversaries have identified the spending population as a target whose specific assets — the AI-tool working directory in particular — are now actively in scope.

The artifact axis says the spending population has shipped a measurable, internet-facing, externally-confirmable inventory of vulnerable deployments that the targeting population can identify with passive scanning at corporate-IP-range granularity.

The three axes are causally connected without requiring causal claims. The cost axis describes the spend. The artifact axis describes what the spend produced. The targeting axis describes the operators reading the artifact axis and identifying the spending axis as a high-yield target population. The corporation spending five hundred million dollars on Claude in one month is the same corporation, statistically, that is in the two thousand-app exposed corporate slice and on the Malware-Slop downstream target list. The three reports are not the same report. They are independent reports of the same underlying population dynamic. That is corroboration. That is the pyramid.

The Production Loop Still Does Not Exist In A Preview Pane

We said this sixteen days ago and we will say it again because the receipt arriving does not relieve the original framing. Production has crons. Production has a three-in-the-morning page when the cron misses. Production has a runbook for the page. Production has a regression log four entries deep on the same cron. Production has a customer who would notice if the cron did not run, and an operator who absorbs the notice and ships the fix before the customer's second escalation.

The hackathon-class output that landed on the two thousand-app exposed list does not have any of these things. The deploy button worked. The dashboard mockup loaded. The Supabase free-tier connection accepted the anonymous key. The platform defaults were the platform defaults. The application author logged off, ordered business cards, and updated the LinkedIn headline to "founder." The application has now been on the internet for an average of some indeterminate but non-trivial number of weeks during which whatever data the application accumulated has accumulated under the platform defaults rather than under any deliberate security posture. The fix for any individual app is a thirty-minute audit, an eight-item checklist, and a CSP header. The fix for the population is a platform-default change that the platforms have not yet shipped, plus an audit habit the application author population has not yet built, plus a procurement-tier policy that enterprise security teams have not yet written into the contract language that governs which deploy buttons their employees are allowed to press.

The cost of the missing production loop, on the population scale, is the artifact axis of the pyramid we are looking at right now.

What To Do This Week

The constructive half. We have done this audit before and the methodology is in the open at our May 14 companion post. The eight-item checklist we published then remains the right checklist, and the priority order has not changed in seventeen days because the platform defaults have not changed in seventeen days. Open your browser developer tools on your deployed app. Check that Content-Security-Policy is in the response headers. Confirm that every Supabase table with sensitive data has at least one row-level security policy that is not "true for all roles." Search your JavaScript bundle for the string service underscore role and confirm it is not present. Visit your-app-url-slash-dot-env in a browser and confirm it returns the same response as a random unknown path. Read the rest of the checklist in the May 14 post. Apply the items.

For the enterprise tier, the question is broader. Which vibe-coding deployments inside the perimeter are spending on the corporate AI account that nobody has audited yet? Which of those deployments have made it to the internet on a corporate IP range or a corporate-controlled subdomain? Which of them are routing data to a Supabase or Firebase or PlanetScale or Neon backend with anonymous credentials embedded in the JS bundle? Which of them have ever been audited for the eight items in our May 14 checklist? The procurement-tier security posture treats vibe-coded apps as outside the perimeter because the platforms are SaaS, and the SaaS pitch is that the platform handles the security. The pitch is incomplete. The platform handles part of the security. The application author is required to handle the rest. The application author has not been told this in plain language. The pyramid that completed itself this week is the receipt for what happens when an entire population is not told in plain language.

The Adjacent Vectors Worth Naming

The three axes of the pyramid are not the only signals in this week's feed. The Hacker News reported a previously undocumented Russia-linked threat group named GREYVIBE that is conducting AI-powered spear-phishing and fake-CAPTCHA campaigns against Ukraine — a named net-new actor with zero prior hits in our adversaries index, which we will be back-filling against in the next operator-profile pass. North Korea's Kimsuky group expanded its tradecraft this week with HTTPSpy and the abuse of VS Code Tunnels for command and control, which is the same trust-path-abuse shape as the Nx Console compromise we wrote about yesterday morning. The Marimo CVE-2026-39987 disclosure walked through how attackers used an LLM agent to conduct hands-on-keyboard post-exploitation activity against publicly accessible Marimo notebooks — the first widely-reported case of LLM-in-the-loop tradecraft against a CVE we have read this year. A malicious Sicoob NuGet package was disclosed by The Hacker News this week stealing Brazilian banking credentials, alongside companion npm packages targeting cloud secrets — the package-evaluation arc continues from the registry side. Dutch authorities took down a botnet of seventeen million infected devices and seized over two hundred servers — the law-enforcement-takedown counterweight to the rest of the week's news.

Each of these is its own piece. The line through them, this week, is the same line we have been writing for two months. The trust paths between systems are the surfaces under active exploitation in 2026. The cost axis describes what defenders are spending to keep up. The targeting axis describes what adversaries are spending to take advantage. The artifact axis describes what is left after both sides have spent. The pyramid is what shows up when all three axes are at once.

The Honest Closer

We have a Lovable audit script in the open. We will run it against one URL on request, free, the same offer we made on May 14. The methodology has not changed. The findings will not surprise you. The CSP header is still missing. The Supabase backend is still probably fine on row-level security. The schema leak is still probably present. The eight-item checklist is still the right checklist.

The pyramid is built. Sixteen days. Three axes. Independent reports corroborating. The Lovable preview pane is the preview pane. The production loop is the production loop. The deploy button is the deploy button. The customer who would notice the cron missing at three in the morning is still the test. Run the test. Publish the receipt.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com