Everyone's Selling AI Shovels. Nobody's Checking If Their Own Barn Is Locked.

Open your Twitter right now. Count the posts about AI wrappers, SaaS boilerplates, and "I built this in a weekend" launches. I'll wait.

Now ask yourself: how many of those people ran a single security scan before shipping?

I wrote about how everyone's building an app now a few months back. What I didn't cover: almost none of them are checking if the doors lock. And the data coming out in 2026 is making me lose sleep.

The Gold Rush That Forgot to Lock the Door

Here's what I keep seeing in my timeline. Someone ships an AI tool. Gets 500 upvotes on Product Hunt. Screenshots the Stripe dashboard. Posts "ramen profitable" with a rocket emoji. Meanwhile, their Supabase anonymous JWT token is sitting in the JavaScript bundle, their admin panel has no auth, and their .env file is accessible via a direct URL.

The gold rush metaphor writes itself. Everyone's selling shovels. Nobody's checking if their own barn is locked. And the people buying those shovels? They're building with the same AI startup security neglect that created the problem in the first place.

This is not an enterprise security lecture. I don't care about your SOC 2 compliance or your CISO's quarterly report. This is about the indie hacker shipping from a coffee shop on a VPS they set up in 20 minutes because the AI told them how.

380,000 Apps. Zero Authentication. Welcome to the Open Internet.

In May 2026, a security firm called RedAccess published what they called the "Shadow Builders" report. They found 380,000 publicly accessible vibe-coded apps across Lovable, Base44, Replit, and Netlify. Over 5,000 of those apps had zero authentication. None. Not even a login page. Just... open.

Around 2,000 of those apps were exposing genuinely private data. Not test data. Not dummy entries. Real data from real users and real businesses.

Let me give you some of the specific findings, because abstract numbers don't hit the same way:

• A shipping company had its vessel arrival schedules visible to anyone
• A UK health company was exposing active clinical trial data
• A Brazilian bank had internal financial information accessible
• A long-term care facility was leaking conversations with patients. Children.

Separately, Escape.tech scanned 5,600 vibe-coded apps and found 2,000+ high-impact vulnerabilities, 400+ exposed secrets, and 175 PII instances including medical records and bank account numbers. Every single vulnerability was in a live production system.

Not staging. Not development. Production.

"I Still Don't Blame Claude Code. I Trusted It Too Much."

That's a direct quote from Anton Karbanovich, a Cyprus-based founder who built a paid web app using Claude Code. His app worked beautifully. Users loved it. Payments flowed smoothly.

One problem. His Stripe secret API key (sk_live_...) was exposed in the frontend JavaScript. Not the publishable key, which is designed to be client-facing. The secret key. The one that lets you charge any customer any amount.

Attackers found it. They charged 175 of his customers $500 each. That's $87,500 in fraudulent charges. He reversed them all, but Stripe's processing fees on those reversals weren't refundable. He ate $2,500 out of pocket.

I wrote about the schadenfreude problem in vibe coding before. But this isn't schadenfreude. This is a warning. And the stats back it up: according to GitGuardian's 2026 report, commits co-authored with Claude Code leak secrets at 3.2% per 1,000 commits compared to 1.5% for human-only commits. That's roughly double.

The tool isn't the problem. The trust is.

The Numbers That Should Keep You Up at Night

I'm not going to bury you in stats. But some of these are so stark that I need you to sit with them for a second.

28.65 million new hardcoded secrets were exposed in public GitHub commits during 2025. That's a 34% increase year over year, according to GitGuardian. AI service secrets specifically? Up 81% year over year. There were 113,000 leaked DeepSeek API keys alone.

Here's the one that gets me though: 64% of credentials identified as valid in 2022 remained exploitable as of January 2026. Four years later. Nobody rotated them. Nobody revoked them. They're just sitting there, working.

The code itself isn't doing great either. AI-generated code has 2.74x more vulnerabilities than human-written code. Georgia Tech's Vibe Security Radar tracked AI-generated code CVEs: 18 cases in late 2025, then 56 in the first three months of 2026. March 2026 alone had 35 cases, exceeding all of 2025 combined. The Cloud Security Alliance found that 62% of AI-generated code contains design flaws or known vulnerabilities.

And here's the kicker from a Fortune 50 company's internal data: AI-assisted developers ship code 3-4x faster but introduce security findings at 10x the rate. That's not a typo. Ten times.

The speed is real. So is the damage. As I wrote in pip install Trust-Me-Bro, AI coding assistants don't verify what they install. Turns out they don't verify what they expose, either.

Attackers Are Using AI Too. And They're Better at It.

In May 2026, Google's Threat Intelligence Group confirmed the first known AI-generated zero-day exploit. A Python script that bypassed two-factor authentication in a popular open-source admin tool. The flaw it exploited? A hard-coded trust assumption: "if this object is present, trust it." Classic logic bug. The kind AI is very good at finding.

How did Google know it was AI-generated? The fingerprints. Over-documented docstrings. A hallucinated CVSS score that didn't match any real database entry. Textbook Pythonic formatting that no human would produce under time pressure. Google called it a planned "mass vulnerability exploitation operation."

Meanwhile, on Hacker News, a curated "Vibe Coding Wall of Shame" went viral. Nineteen documented incidents. 6.3 million records affected across thousands of scanned apps. URL-bar account takeovers. Passwords stored in plain text. Admin panels accessible by changing a number in the URL.

The asymmetry is brutal. While indie hackers are using AI to build, attackers are using AI to break. And the attackers are faster, because breaking things is always easier than building them.

The Five-Minute Security Audit You Have No Excuse to Skip

I'm not asking you to become a penetration tester. I'm asking you to spend five minutes before you post that launch tweet. Here's the 80/20 that catches most of the problems:

1. Search your codebase for secrets. Open a terminal and run:

grep -r "sk_live\|sk_test\|AKIA\|password\|secret" --include="*.js" --include="*.ts" --include="*.env" .

If anything comes back that isn't inside .env.local or .env (which should be in .gitignore), you have a problem. Fix it before anything else.

2. Check your security headers. Go to SecurityHeaders.com, paste your URL. It takes 30 seconds. If you get a D or F, you're telling browsers "I don't care about security, do whatever you want." Mozilla Observatory gives you a more detailed breakdown.

3. Test unauthenticated access. Open an incognito window. Try to access every page and every API endpoint without logging in. Hit your /api/users, your /admin, your /dashboard. If you can see anything that should require auth, your auth doesn't work.

4. Drop a single quote into every input field. Type ' into your search bars, forms, and URL parameters. If you see a database error message, you have a SQL injection vulnerability. In 2026. With AI writing the code.

5. Check your browser dev tools on the live site. Open the Network tab. Search the JavaScript bundles for any string starting with sk_, AKIA, or containing password or secret. This is how Anton's Stripe key was found. It takes two minutes.

For deeper scanning, you don't need to pay anyone. OWASP ZAP is free. npm audit is built into npm. Semgrep has a free tier. Your dependencies are a security surface too, so don't skip the supply chain check.

Ship Fast, But Lock the Door on Your Way Out

Look. I get it. The whole point of vibe coding is speed. You prompt, you ship, you iterate. Spending an afternoon on security feels like the opposite of momentum.

But losing $2,500 in non-recoverable Stripe fees is worse than spending 30 minutes on a security check. Having children's medical records on the open internet because you skipped auth is worse than a delayed launch. Getting your users' data plastered on a Hacker News "Wall of Shame" is worse than one extra step in your deploy process.

A Georgia Tech researcher put it simply: treat AI-generated code like a junior developer's pull request. You wouldn't merge a junior's code without checking the auth flow, the input validation, and what's publicly exposed. Don't do it just because the code came from Claude instead of a person.

You don't have to become a security expert. You just have to stop assuming the AI handled it.

I can't promise that a five-minute audit catches everything. What I can tell you: it catches the stuff that makes the news. Let's talk if you want a second pair of eyes on what you're shipping.