Most enterprise security programs were built to protect servers, endpoints, and cloud accounts. None of them was built to find a customer intake form that a product manager vibe coded on Lovable over a weekend, connected to a live Supabase database, and deployed on a public URL indexed by Google. That gap now has a price tag.

New research from Israeli cybersecurity firm RedAccess quantifies the scale. The firm discovered 380,000 publicly accessible assets, including applications, databases, and related infrastructure, built with vibe coding tools from Lovable, Base44, and Replit, as well as deployment platform Netlify. Roughly 5,000 of those assets, about 1.3%, contained sensitive corporate information. CEO Dor Zvi said his team found the exposure while researching shadow AI for customers. Axios independently verified multiple exposed apps, and Wired confirmed the findings separately.

Among the verified exposures: a shipping company app detailed which vessels were expected at which ports. An internal health company application listed active clinical trials across the U.K. Full, unredacted customer service conversations for a British cabinet supplier sat on the open web. Internal financial information for a Brazilian bank was accessible to anyone who found the URL.

The exposed data also included patient conversations at a children’s long-term care facility, hospital doctor-patient summaries, incident response records at a security company, and ad purchasing strategies. Depending on jurisdiction and the data involved, the healthcare and financial exposures may trigger regulatory obligations under HIPAA, UK GDPR, or Brazil’s LGPD.

RedAccess found phishing sites built on Lovable that impersonated Bank of America, FedEx, Trader Joe’s, and McDonald’s. Lovable said it had begun investigating and removing the phishing sites.

The defaults are the problem

Privacy settings on several vibe coding platforms make apps publicly accessible unless users manually switch them to private. Many of these applications get indexed by Google and other search engines. Anyone can stumble across them. Zvi put it plainly: “I don’t think it’s feasible to educate the whole world around security. My mother is [vibe coding] with Lovable, and no offense, but I don’t think she will think about role-based access.”

This is not an isolated finding

In October 2025, Escape.tech scanned 5,600 publicly available vibe-coded applications and found more than 2,000 high-impact vulnerabilities, over 400 exposed secrets including API keys and access tokens, and 175 instances of personal data exposure containing medical records and bank account numbers. Every vulnerability Escape found was in a live production system, discoverable within hours. The full report documents the methodology. Escape separately raised an $18 million Series A led by Balderton in March 2026, citing the security gap opened by AI-generated code as a core market thesis.

Gartner’s “Predicts 2026” report forecasts that by 2028, prompt-to-app approaches adopted by citizen developers will increase software defects by 2,500%. Gartner identifies a new class of defect where AI generates code that is syntactically correct but lacks awareness of broader system architecture and nuanced business rules. The remediation costs for these deep contextual bugs will consume budgets previously allocated to innovation.

Shadow AI is the multiplier

IBM’s 2025 Cost of a Data Breach Report found that 20% of organizations experienced breaches linked to shadow AI. Those incidents added $670,000 to the average breach cost, pushing the shadow AI breach average to $4.63 million. Among organizations that reported AI-related breaches, 97% lacked proper access controls. And 63% of breached organizations had no AI governance policy in place.

Shadow AI breaches disproportionately exposed customer personally identifiable information at 65%, compared to 53% across all breaches, and affected data distributed across multiple environments 62% of the time. Only 34% of organizations with AI governance policies performed regular audits for unsanctioned AI tools. VentureBeat’s shadow AI research estimated that actively used shadow apps could more than double by mid-2026. Cyberhaven data found 73.8% of ChatGPT workplace accounts in enterprise environments were unauthorized.

What to do first

The audit framework below gives CISOs a starting point for triaging vibe-coded app risk across five domains.

The CISO who treats this as a policy problem will write a memo. The CISO who treats this as an architecture problem will deploy discovery scanning across the four largest vibe coding domains, require pre-deployment security review, extend the existing AppSec pipeline to citizen-built apps, and add those domains to DLP rules before the next board meeting. One of those CISOs avoids the next headline.

The vibe coding exposure RedAccess documented is not a separate problem from shadow AI. It is shadow AI’s production layer. Employees build internal tools on platforms that default to public, skip authentication, and never appear on any asset inventory, which means the applications stay invisible to security teams until a breach surfaces or a reporter finds them first. Traditional asset discovery tools were designed to find servers, containers, and cloud instances. They have no way to find a marketing configurator that a product manager built on Lovable over a weekend, connected to a Supabase database holding live customer records, and shared with three external contractors through a public URL that Google indexed within hours.

The detection challenge runs deeper than most security teams realize. Vibe-coded apps deploy on platform subdomains that rotate frequently and often sit behind CDN layers that mask origin infrastructure. Organizations running mature, secure web gateways, CASB, or DNS logging can detect employee access to these domains. But detecting access is not the same as inventorying what was deployed, what data it holds, or whether it requires authentication. Without explicit monitoring of the major vibe coding platforms, the apps themselves generate a limited signal in conventional SIEM or endpoint telemetry. They exist in a gap between network visibility and application inventory that most security stacks were never architected to cover.

The platform responses tell the story

Replit CEO Amjad Masad said RedAccess gave his company only 24 hours before going to the press. Base44 (via Wix) and Lovable both said RedAccess did not include the URLs or technical specifics needed to verify the findings. None of the platforms denied that the exposed applications existed.

Wiz Research separately discovered in July 2025 that Base44 contained a platform-wide authentication bypass. Exposed API endpoints allowed anyone to create a verified account on private apps using nothing more than a publicly visible app_id. The flaw meant that showing up to a locked building and shouting a room number was enough to get the doors open. Wix fixed the vulnerability within 24 hours after Wiz reported it, but the incident exposed how thin the authentication layer is on platforms where millions of apps are being built by users who assume the platform handles security for them.

The pattern is consistent across the vibe coding ecosystem. CVE-2025-48757 documented insufficient or missing Row-Level Security policies in Lovable-generated Supabase projects. Certain queries skipped access checks entirely, exposing data across more than 170 production applications. The AI generated the database layer. It did not generate the security policies that should have restricted who could read the data. Lovable disputes the CVE classification, stating that individual customers accept responsibility for protecting their application data. That dispute itself illustrates the core tension: platforms that market to nontechnical builders are shifting security responsibility to users who do not know it exists.

What this means for security teams

The RedAccess findings complete the picture. Professional agents face credential theft on one layer. Citizen platforms face data exposure on the other. The structural failure is the same. Security review happens after deployment or not at all. Identity and access management systems track human users and service accounts. They do not track the Lovable app a sales operations analyst deployed last Tuesday, connected to a live CRM database, and shared with three external contractors via a public URL.

Nobody asks whether the database policies restrict who can read the data or whether the API endpoints require authentication. When those questions go unasked at AI-generation speed, the exposure scales faster than any human review process can match. The question for security leaders is not whether vibe-coded apps are inside their perimeter. The question is how many, holding what data, visible to whom. The RedAccess findings suggest the answer, for most organizations, is worse than anyone in the C-suite currently knows. The organizations that start scanning this week will find them. The ones that wait will read about themselves next.

Spotify is leaning even harder into AI, and this time it wants your chatbot to double as a podcast producer.

The streaming service has launched a new beta feature called Save to Spotify. This lets AI agents like OpenClaw, Claude Code and OpenAI Codex generate personalised podcast-style audio briefings directly inside your Spotify library.

The idea is fairly simple: instead of reading through notes, schedules or research documents yourself, you can ask an AI assistant to turn them into an audio episode. You can then listen to it later. Spotify says the feature can handle everything from daily briefings and travel plans to study notes and deep dives into specific topics.

Once generated, the Personal Podcast is saved like a regular episode inside Spotify. It is ready to stream during a commute, workout or wherever else you normally catch up on podcasts.

Getting started is a little more developer-focused than Spotify’s usual features. Users need to install the Save to Spotify CLI tool from GitHub. Then they must connect their Spotify account through a browser login. After that, they prompt their AI agent to create a podcast. Spotify automatically adds the generated episode to the user’s library.

Spotify also shared a few examples of how to use the tool. One suggested prompt creates a five-minute morning briefing using your calendar, inbox and news feeds. Another turns holiday plans into an audio travel itinerary complete with restaurant recommendations and airport routes. You could even ask for a narrated explainer on this year’s World Cup.

The move shows how aggressively Spotify is embedding itself into the AI ecosystem beyond music streaming. The service already integrates with AI assistants like Claude and ChatGPT for playlist controls and recommendations. However, Save to Spotify pushes things much further by treating AI-generated audio as a first-class feature inside the app.

Spotify also quietly confirmed another AI update alongside the launch: users can now interact with the AI DJ in four additional languages beyond English and Spanish.

For now, Save to Spotify remains in beta. However, it’s a pretty clear sign of where Spotify sees the platform heading next — less passive listening, more AI-generated audio built around your own life.

Security

There’s a mysterious framework worming its way through exposed cloud instances removing all traces of TeamPCP infections, but it’s not benevolent by a long shot: Whoever is behind this bit of malware may be cleaning up who came before, but only so they can take their place.

Discovered by security outfit SentinelOne’s SentinelLabs researchers and dubbed PCPJack for its habit of stealing previously compromised systems from TeamPCP, the worm was first spotted in late April hiding among a Kubernetes-focused VirusTotal hunting rule. It stood out from known cloud hacktools, said SentinelLabs, because the first action it always takes is to eliminate tools associated with TeamPCP attacks. 

The script didn’t stop there, though.

“We initially considered that this toolset could be a researcher removing TeamPCP’s infections,” SentielLabs said. “Analysis of the later-stage payloads indicates otherwise.”

“Analyzing this script led us to discover a full framework dedicated to cloud credential harvesting and propagating onto other systems, both internal and external to the victim’s environment,” SentinelLabs continued. In other words, this thing will harvest credentials from everywhere it can get its hands on, and then find new, unsecured cloud environment targets to spread itself to. 

TeamPCP came onto the scene late last year, and since then has made a name for itself primarily by undertaking a successful compromise of the Trivy vulnerability scanner. That act spread credential-harvesting malware which attackers then used to pivot to more valuable targets, and became one of the most notable supply chain attacks in recent memory. 

Unlike TeamPCP’s campaign, which relied on the spread of compromised software by human actors, this one spreads on its own accord. 

Infections start when already-infected systems look for exposed services, including Docker, Kubernetes, Redis, MongoDB, and RayML, as well as exposed web applications. Once it finds a vulnerable environment, it runs a shell script on the target system that sets up an environment to download additional payloads and searches for TeamPCP processes and artifacts to kill. 

That part of the infection downloads the worm itself, along with modules to enable lateral movement, parse credentials and encrypt them for exfiltration, and for scanning the web for new environments to infect. 

From there, the worm goes to work with the second module in its kit that conducts the actual credential thefts. This portion of the infection targets environment variables, config files, SSH keys, Docker secrets, Kubernetes tokens, and credentials from a list of finance, enterprise, messaging, and cloud service targets so long that we recommend taking a look at it here, or just assuming whatever you’re using is probably being targeted. 

SentinelLabs noted that the lack of a cryptominer in the malware package is unusual, and said the particular services it targeted suggests its goal is either conduct its own spam campaigns and financial fraud with the stolen data, or to make the data it harvests available to those planning similar crimes. 

The worm’s practice of removing TeamPCP files could be opportunistic, or could mean there’s drama going on in the cybercrime world. 

“We have no evidence to suggest whether this toolset represents someone associated with the group or familiar with their activities,” SentinelLabs noted. “However, the first toolset’s focus on disabling and replacing TeamPCP’s services implies a direct focus on the threat actor’s activities rather than pure cloud attack opportunism.”

Because this is a worm relying on unsecured cloud and web app instances ripe for targeting, mitigation recommendations are pretty simple: Keep your cloud platforms secure, and ensure authentication is required even for instances of things like Docker and Kubernetes that aren’t exposed to the internet. ®

Hackers give operator Instructure until 12 May to ‘negotiate a settlement’.

Cyber extortion group ShinyHunters has claimed responsibility for a second breach into edtech giant Instructure – this time, for hacking into the Canvas login portal.

The hackers replaced the Canvas login page with a message that claimed responsibility for an earlier Instructure breach and threatened to leak stolen data if ransom demands aren’t met.

“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’,” the message seen by news publications read.

“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked,” it continued.

Bleeping Computer reported that the threat actors’ message appeared in around 330 educational institutions’ portals. It was up for approximately 30 minutes before being taken down. ShinyHunters told the publication that the stolen data contains private messages, user records and enrolment data.

Canvas is used by more than 8,000 educational institutions globally, including several in Ireland, such as the University of Galway and Munster Technological University (MTU). The platform enables communication between students and faculty, and provides coursework management and grading services.

Earlier this week, MTU informed users of a cybersecurity breach into Instructure, which it believed, at the time, did not affect its services. Yesterday (7 May), the institution advised caution, and told staff and students that Canvas remains safe to use.

Meanwhile, in a statement to SiliconRepublic.com, the University of Galway said: “Services have been restored following a relatively low level of disruption in the last 24 hours. We are continuing to liaise with the company affected to understand the full nature and extent of the breach.”

According to the company’s status page, Instructure first began experiencing issues at around 6.30pm Irish Standard Time yesterday. At the time of publication, the services are back online for “most users”.

Last Friday (1 May), Instructure disclosed that it experienced a cybersecurity incident perpetrated by a criminal threat actor. ShinyHunters claimed responsibility for the attack and claimed to have stolen 280m records. The threat actor also published a list of more than 8,800 institutions that were affected by its attacks on Canvas.

On 6 May, Instructure said the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses and student ID numbers, as well as as messages among users”.

In March, ShinyHunters was linked to a breach of the European Commission’s Europa.eu platform, where 350GB of data, across multiple databases, was reportedly accessed and stolen.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Updated 8 May, 12.34 pm: The article has been updated with a statement from the University of Galway.

Friday is the last day for your encrypted Instagram DMs. After May 8, the platform will no longer support the feature, it announced in a help post.

Instagram said in March that it would stop offering end-to-end encryption to its roughly 3 billion users worldwide. At the time, Meta said the feature, which required people on the platform to opt in, had a low adoption rate.

A Meta spokesperson told CNET that nothing has changed in its plans since that announcement and repeated a statement from March: “Very few people were opting in to end-to-end encrypted messaging in DMs, so we’re removing this option from Instagram in the coming months. Anyone who wants to keep messaging with end-to-end encryption can easily do that on WhatsApp.”

WhatsApp is also owned by Meta.

Read more: I Tried Signal, Telegram and WhatsApp, and This Is the One I’d Recommend

The change means that there’s no longer the option to keep private messages on Instagram shielded from potentially prying eyes. By default, if law enforcement agencies are given access to someone’s Instagram messages, there’s no encryption to prevent them from reading them. With the option enabled, Instagram users could keep messages private, with only the keys on their devices able to unlock them. However, anyone in an encrypted chat could also share messages with Meta if they were reporting an incident, or with anyone else if they chose. 

How to get your encrypted messages

According to the help page message, you’ll be able to download any encrypted messages you have: “If you have chats that are affected by this change, you will see instructions on how you can download any media or messages you may want to keep,” the company said. “If you’re on an older version of Instagram, you may also need to update the app before you can download your affected chats.”

Cloudflare on Thursday joined a growing list of tech companies — including Meta, Microsoft, and Amazon — that have reported increased revenue alongside massive layoffs, attributing both trends to their use of AI.

Cloudflare, which provides internet security and performance services to millions of websites worldwide, announced it was cutting its workforce by approximately 20%, which equates to 1,100 people, it said as part of its first quarter 2026 earnings report on Thursday.

“We’ve never done something like this in Cloudflare’s history,” co-founder and CEO Matthew Prince said Thursday on the quarterly conference call, marking the first mass layoff in the company’s 16-year history. The company is cutting people from all teams and geographies except for salespeople who carry revenue quotas, CFO Thomas Seifert detailed on the call.

The news of the workforce cuts came as the company reported quarterly revenues of $639.8 million, a 34% year-over-year increase and the highest single quarter in the company’s history. However, this was coupled with a loss of $62.0 million compared with losing $53.2 million in the year-ago quarter.

That widening loss, even as revenue surged, highlights a familiar paradox in Cloudflare’s story: the company is growing fast but has yet to turn a consistent profit. But the loss was a smaller percentage of revenue, and the quarter was coupled with a lot of other positive indicators. For instance, Cloudflare reported that it had over $2.5 billion in “remaining performance obligations,” a year-over-year growth of 34%. RPO is the favorite metric these days to indicate revenue under contract but not yet delivered.

Hence, Prince insisted, the 20% cuts were not to reduce expenses but were strictly because of its use of AI.

“Today’s actions are not a cost-cutting exercise or an assessment of individuals’ performance; they are about Cloudflare defining how a world-class, high-growth company operates and creates value in the agentic AI era,” Prince and Cloudflare co-founder and COO, Michelle Zatlyn, wrote in a related blog post about the layoffs.

Prince acknowledged on the call that even though Cloudflare has been selling AI-powered products, it was at first cautious about adopting AI itself.

“Internally, the tipping point was last November. At that point, across our teams, we began to see massive productivity gains, team members that were two, 10, even 100 times more productive than they had been before. It was like going from a manual to an electric screwdriver,” he described.

“Cloudflare’s usage of AI has increased by more than 600% in the last three months alone,” he added.

Prince highlighted the internal use of AI coding, saying that virtually the entire R&D team is now using the company’s own Workers platform — a tool that lets developers build and run software directly on Cloudflare’s global network — including its vibe coding feature. He also noted that 100% of the code produced this way and deployed for use in Cloudflare’s products is “now reviewed by autonomous AI agents.”

But it’s not just developers who are using AI internally, he said. “Employees across the company from engineering to HR to finance to marketing run thousands of AI agent sessions each day to get their work done.”

As a result, these highly productive, AI-powered employees require fewer support staff, he argued.

“A lot of the support people that provide support behind them, those roles aren’t going to be the roles that, you know, drive companies going forward,” Prince said.

Interestingly, Prince says that Cloudflare “will continue to hire people, and we’ll continue to invest in them because the people that are embracing these tools are just so much more productive than we’d ever seen before. I would guess that in 2027 we’ll have more employees than we did at any point in 2026.”

Cloudflare said it ended its first quarter before layoffs with a headcount of about 5,500.

The pattern Prince described — deploying AI gains as justification for workforce reductions even during a period of strong revenue growth — is fast becoming a familiar script across the tech industry. Whether it reflects true structural transformation or acts as convenient cover for cost discipline is a question that investors and employees will be wrestling with for some time to come.

When asked by an analyst on the call why the company needed to cut so deeply after such a good quarter, Prince said, “Just because you’re fit doesn’t mean you can’t get fitter.”

Nothing has expanded the Nothing Ear (open) lineup with a blue colourway, set to go on sale on 11 May, nearly a year after the earbuds launched exclusively in white.

The addition marks the first time the Ear (open) has received an alternative finish, a gap that stood out against the broader Nothing earbud range, which launched with black and yellow options across other models in 2024, giving the open-ear variant a noticeably more limited visual identity from the start.

That single-colour restriction was an unusual choice for Nothing, a brand that has leaned heavily into distinctive industrial aesthetics and bold colour pairings as a core part of its market positioning across both phones and audio hardware since launching in 2021.

The new blue sits on the more restrained end of the spectrum for Nothing, described as a subdued shade rather than the vivid tone seen on the recently released Nothing Phone (4a), which adopted a brighter, more saturated blue finish that drew considerable attention at launch earlier this year.

Nothing teased the colourway earlier this week through its community forum under the codename “Flaaffy,” with the formal announcement confirming the 11 May release date following subsequent posts on the brand’s X account, where a short promotional caption referenced the ocean, the sky, and Yves Klein among its blue-themed references.

The Ear (open) itself sits in a still-emerging product category, with open-ear earbuds occupying a distinct space from in-ear and over-ear designs, prioritising ambient awareness over isolation and finding a growing audience among commuters and outdoor users who prefer to keep some connection to their surrounding environment.

Nothing has not announced any changes to the hardware, driver configuration, or software features alongside the new finish, meaning the blue Ear (open) carries the same specifications as the original white model released in 2024.

The blue Nothing Ear (open) goes on sale on 11 May, with pricing expected to match the existing model’s retail rate.

Problems in space can be complex and dangerous. But NASA’s Curiosity Mars rover spent the end of April embroiled in a much simpler problem: It got stuck in a rock.

Curiosity’s woes began on April 25 when it drilled into a 28-pound rock NASA nicknamed Atacama. In a moment that could’ve come straight out of a Flintstones episode, Curiosity became stuck, and when it tried to pull its drill out, it yanked the whole rock with it. 

“Drilling has fractured or separated the upper layers of rock in the past, but a rock has never remained attached to the drill sleeve,” NASA said in a blog post.  

Such problems are comical here on Earth, where we can just shake the tool and the rock around until it’s free. Not so on Mars. Radio signals can take nearly half an hour to travel between Earth and Mars. Curiosity’s controllers had to send instructions and then wait upward of 30 to 45 minutes to see if the rover did anything. 

It took five days of troubleshooting, but NASA’s Jet Propulsion Laboratory crew finally freed Curiosity from its overly attached new friend on May 1. 

Watch Curiosity free itself from Mars’ clingiest rock

NASA’s Curiosity is known for sending panoramas of the Martian surface. Still, this time, the cameras caught Curiosity doing something many construction workers have to deal with every day. NASA posted two GIFs of the event. The first is a head-on shot, and the other is from a higher angle.

In the GIFs, you can see Curiosity drilling into the rock, a task it’s done many times before. Except when the rover lifts its arm, the rock comes along with it. The rover pauses right at the start before giving in to its fate and lifting the rock off the ground. 

Since these are stitched images, you don’t see the drill arm’s finer movements, but NASA says the rock was tilted, and the drill was rotated and vibrated multiple times over the course of the events. The rock finally falls free at the end. 

A representative for NASA told CNET that the rover was not harmed in the incident.