Blog

Research & findings

Analysis from scanning thousands of recently shipped products.

New

Scanner comparisons

Side-by-side comparisons of every security scanner targeting vibe-coded apps.

See all comparisons →
Case StudyJuly 17, 2026

The .env File Your Web Server Is Serving to the Internet

In a scan of 12,000+ recently launched apps, 17 had their .env file accessible over HTTP. One file, every production secret, no authentication required.

Read →

ExplainerJuly 3, 2026

What Happens in the First 5 Minutes After You Leak an API Key

Automated bots detect leaked API keys within seconds of a commit being pushed. Here is the minute-by-minute timeline of what happens next, and why deleting the key in the next commit does not help.

Read →

Case StudyJune 19, 2026

Your Supabase Database Is Probably Public Right Now

CVE-2025-48757 exposed 170+ Lovable-generated apps with missing Row Level Security. One breach leaked 18,000 student and educator records. If you used an AI tool to create your Supabase tables, your data is likely wide open.

Read →

Case StudyJune 5, 2026

Your Deployed App Is Serving Its Own Source Code

73 out of 12,000 recently launched apps had their .git directory accessible over HTTP. An exposed .git directory lets an attacker reconstruct the entire repository, including every secret ever committed.

Read →

Case StudyMay 21, 2026

A Founder Lost $2,500 Because His AI-Coded App Shipped a Stripe Secret Key in the Frontend

An AI coding tool put a live Stripe secret key directly in frontend JavaScript. Bots found it, charged 175 customers $500 each, and the founder ate $2,500 in processing fees.

Read →

ResearchApril 15, 2026

We Scanned 12,000 Vibe-Coded Apps. Not One Came Back Clean.

Across 12,000 recently launched products, every single app had at least one security finding. Here is what we found, and why the pattern is predictable.

Read →

Blog | Talon