Two app-platform breaches in 48 hours.

Vercel: internal DB, employee accounts, GitHub and NPM tokens reportedly for sale on BreachForums. Vercel owns Next.js. 6M weekly downloads. One compromised package ships to every app that updates.

Lovable: any free account can read other users’ source code, database credentials, and AI chat histories. Nvidia, Microsoft, Uber, Spotify employees all have accounts on it.

Different breaches, same shape.

Vibe coding works because the platform does everything you used to do yourself. You don’t set up infra, you ship to Vercel. You don’t write the app, you generate it on Lovable. A few platforms now do the work that used to be spread across thousands of teams.

That’s the feature. It’s also the attack surface.

When every team ran their own infra, a breach hit one company. When every app runs on the same handful of platforms, a breach hits every app on them.

The surface got smaller. The blast radius got bigger.