A living index of supply-chain attacks, malicious MCP servers, prompt-injection campaigns, and credential-theft incidents that target people who build with AI coding tools.

(The GitHub repo and short URL slug remain vibe-coding-security; "Vibe Coding · Security Issue Tracking" is the human-readable site title.)

Audience. Anyone shipping with Cursor, Claude Code, Lovable, v0, Bolt, Replit, Windsurf, Codex, or any agent that runs npm install / pip install on its own. If an LLM has ever suggested a package and you installed it without reading the source, this repo is for you.

Last full sweep: 2026-06-12 · Website: pranava0x0.github.io/vibe-coding-security


How to use this repo

  1. Hit by something right now? → start at ALERTS.md. It's a single scannable feed, latest on top.
  2. Wondering if a specific incident matters to you?advisories/ — one file per incident, with concrete am I affected? checks.
  3. Already compromised and need to recover?playbooks/ — credential rotation, package removal, blast-radius assessment.
  4. Trying not to get hit in the first place?prevention/ — start with the attack-surface map, then npm hardening, CI/CD (GitHub Actions) hardening, MCP hygiene, credential storage, sandboxing.
  5. Want to monitor this stuff yourself?sources/ — who to follow on X, which blogs, which feeds.

Why this exists

Vibe coding broke the old contract. The old contract was: a human reads the README, a human picks the dependency, a human runs npm install. The new contract is: an agent picks a dependency it half-remembers, runs npm install inside --dangerously-skip-permissions, and your shell history, ~/.npmrc, ~/.aws/credentials, and SSH keys leave the building before you finish your coffee.

In the last 12 months alone:

  • Shai-Hulud (Sep 2025) — first self-replicating npm worm. Stole npm/GitHub/AWS/GCP creds, made private repos public, then re-published itself into every package the compromised maintainer owned.
  • Shai-Hulud "Second Coming" (Nov 2025) — 492 packages, 132M downloads/month, hit Zapier / ENS / PostHog / Postman. 25,000+ malicious GitHub repos in days.
  • Nx s1ngularity (Aug 2025) — first malware to use Claude Code and Gemini CLI as recon tools to find your credentials. 2,349 secrets leaked in hours.
  • qix compromise (Sep 2025) — chalk, debug, ansi-styles. 2 billion downloads per week, single phishing email.
  • Postmark MCP (Sep 2025) — first malicious MCP server. Built trust over 15 versions, then silently BCC'd every email to the attacker.
  • Mini Shai-Hulud (April–May 2026, ongoing) — SAP packages, TanStack (@tanstack/react-router, 12.7M weekly), node-ipc (~822K weekly, May 14).
  • Axios (Mar 2026) — 70M+ weekly downloads, auto-updated into thousands of projects before takedown.

Most defenders have hours to react. Most vibe coders find out weeks later, when their AWS bill arrives.


What this repo is not

  • Not a vulnerability scanner. Use Socket, Snyk, StepSecurity, or npm audit. We point at them; we don't replace them.
  • Not a feed for every CVE. Only incidents that meaningfully affect people building with AI coding tools (npm/PyPI compromise, malicious MCPs, IDE/agent vulnerabilities, prompt-injection campaigns).
  • Not infallible. Every entry is dated and sourced. Verify before you act on it.

Keeping it fresh

The repo ships with a Claude Code skill at .claude/skills/vibe-security-update/. Running /vibe-security-update (or asking Claude to "refresh the sweep") performs a tiered web sweep — deep over the last 24h, medium over 3d, light over 7d — and updates ALERTS.md + advisories. The skill maintains a source-priorities.json that learns over time: sources that consistently produce hits gain weight and get queried first on future runs.

The website (built from the markdown sources) auto-deploys on every push to main via GitHub Actions (.github/workflows/deploy-site.yml). The pipeline is:

  1. python site/build.py — render markdown → HTML + emit all LLM-friendly artifacts.
  2. python site/validate.py — quick sanity checks (required outputs, link integrity, etc.).
  3. pytest tests/ — 86 checks (frontmatter schema, JSON-LD, semantic HTML, heading hierarchy, llms.txt format, no committed secrets, build determinism, atom feed validity, etc.).

Any failure fails the deploy. Build locally with:

pip install -r site/requirements.txt
python site/build.py        # writes dist/
python site/validate.py     # quick sanity check
pytest tests/               # full suite — 86 checks
open dist/index.html

LLM-friendly outputs

Every build emits machine-readable artifacts under dist/. Pattern adapted from Anthropic docs via Mintlify (llms.txt + llms-full.txt + per-page .md mirrors), then extended:

For LLMs - llms.txtllmstxt.org index with one-line descriptions of every page. - llms-full.txt — every advisory + playbook + prevention doc concatenated as raw markdown (~500KB / ~125K tokens, fits a 200K-token context window). Drop it into Claude / GPT / Gemini for full coverage in one paste. - llms-ctx.txt — compact variant: alerts + per-advisory TL;DR + "am I affected?" only (~70KB). - advisories/llms.txt + per-section variants — narrow indexes scoped to one section. - Per-page .md mirror — replace .html with .md in any URL to get the raw markdown source. Also discoverable via <link rel="alternate" type="text/markdown"> on every page.

Structured data - advisories.json — full frontmatter dump (severity, status, ecosystems, dates, IDs, URLs, markdown_url). - advisory-schema.json — JSON Schema (draft 2020-12) for advisory frontmatter, so authoring tools can validate. - api/v1/advisories.json + api/v1/index.json — same data behind a stable versioned URL.

Feeds & crawlers - feed.xml — Atom feed of new advisories (latest 25). - sitemap.xml with changefreq + priority. - robots.txt — AI/LLM training explicitly allowed. - .well-known/security.txtsecuritytxt.org standard for vuln reporters.

Each rendered HTML page also includes JSON-LD (TechArticle for advisories, Article elsewhere, ItemList on index pages) with datePublished / dateModified, Open Graph + Twitter card meta tags, and a per-page TOC at ≥1200px viewports.

Contributing

See CONTRIBUTING.md. New advisory? Open an issue with the new-advisory template, or submit a PR using the format in advisories/README.md.

If you spotted something live and need it logged in the next hour, just open an issue with a link and we'll flesh it out.


License

CC0 / public domain. Copy, fork, mirror, paste into your own runbooks. Attribution appreciated but not required.