Lictor AI shield

In the wild.

What we've found. What's shipping next.

Every disclosure Lictor has sent to a maintainer, every scanner we've built, and the honest roadmap of what's coming, including the surfaces we haven't covered yet.

What's shipped

Live scanners running today, finding bugs in real AI-generated code.

🌐 Web app scanner

URL-based audit for any deployed site. Catches leaked secrets, exposed DBs, painted-lock admin routes, open CORS, unsigned webhooks, prompt-injection surfaces.

Run a scan →

🛠 Claude Code skill suite

/lictor-security-check + /lictor-fix-it + /lictor-explain + /lictor-rotate. Runs locally inside any project.

Install →

🔍 Patrol auto-scanner

Continuous discovery of vibe-coded repos with hardcoded secrets: Supabase service-role JWTs, Firebase service-account JSONs, DB creds, bot tokens, GitHub Actions RCE patterns. 8 confirmed vulnerabilities (with working PoCs) in named open-source AI projects like HuggingFace transformers and cognita, plus ~80 suspected findings under verification. One has a confirmed maintainer fix in 24 hours.

Runs as hosted monitoring →

Coming next, in development

The honest roadmap. No "shipping Q4 2027" theatre. These are the surfaces we're actively building scanners for.

📱 Mobile (iOS + Android) · soon

Static analysis on .ipa / .apk bundles + AI-generated Swift/Kotlin source. Catches API keys shipped in the bundle, insecure local storage, WebView ↔ JS bridge holes, missing cert pinning, excessive manifest permissions.

Pattern catalog written. Scanner skeleton drafted. Pipeline integration in progress.

🧩 Browser-extension scanner

Manifest v3 audit for AI-generated Chrome / Firefox extensions. Catches over-permissive host-permissions, content-script injection holes, message-passing without origin checks.

Manifest parser ready; check-rules drafted; bundling pending.

⚙️ CI/CD pipeline audit

GitHub Actions + GitLab CI workflow scanning. Catches the classic pull_request_target + checkout-PR-head RCE pattern, secrets in workflow logs, branch-protection bypass via unprotected paths.

Patrol-PRtarget scanner is live and finding live exposures; CLI version coming.

🖥 Desktop apps (Tauri / Electron)

For AI-built native shells. Audits IPC bridge exposure, nodeIntegration leaks, file-system access scopes, auto-updater signing.

Pattern catalog drafted; scanner not yet shipping.

🛰 MCP server audit

For the Model Context Protocol ecosystem. Catches tool-description prompt injection, unauthenticated tool exposure, schema-validation bypass.

Lictor-multi already scans local MCP code; remote-MCP audit on the way.

What we’re actually finding

Real examples from what we’ve found, anonymised where the maintainer hasn’t publicly responded. The patterns repeat across every vibe-coding tool.

🔴 87 FOUND

Firebase service-account JSONs

The single most common vibe-coded mistake. The full private_key + private_key_id for a real Google Cloud service account, committed to a public repo. Grants full project access until manually rotated.

Real targets contacted: a hospital admin panel · an internet banking backend · an eldercare assistant app · 84 more.

🟠 14 FOUND

GitHub Actions pull_request_target RCE

Workflow checks out the PR's head SHA (attacker-controlled code) with access to repo secrets. Classic supply-chain attack vector. Found in Microsoft .NET MAUI bindings (2.8k★), prusa3d/Prusa-Firmware (2.1k★), liquibase (5.5k★), langwatch (3.3k★), and 10 more.

Two maintainers already responded acknowledging the mitigation. One opened Private Vulnerability Reporting for future reports.

🟠 8 FOUND

DB connection strings with passwords

Live postgres://user:password@host/db or mongodb+srv://... connection strings in .env.production files committed to public source. Filtered out localhost / private IPs / placeholder passwords. Only real-host real-credential cases get contacted.

🟡 4 FOUND

SaaS API keys (Mailchimp · Twilio · etc)

Hardcoded Mailchimp keys (list-takeover risk), Twilio Account SID + Auth Token pairs (SMS spend takeover, since bots scrape GitHub for exactly this combo). One Twilio finding in an active multi-user whiteboard app.

🟡 5 FOUND

LLM keys in HuggingFace Spaces

Hardcoded Google Gemini / Groq API keys in the public app.py of HF Spaces, including an active immigration-assistance chatbot. HF Spaces are public source by design; anyone with the URL can read the key out.

🟡 5 FOUND

API keys in published PyPI packages

One Python AI-wrapper package (zohencel-ai) ships with two hardcoded Groq keys across multiple files. pip install the package and the keys are right there. Bots scrape PyPI tarballs for exactly this.

External attack-surface scanning, May 2026

We've audited AI apps and the open-source tools they're built on. Every finding was disclosed privately by email to the affected organisation or cloud provider under the 60-day Coordinated Vulnerability Disclosure norm. Zero victim names published. Only finding categories and counts.

8
confirmed vulnerabilities (with working PoCs) in named open-source AI projects · plus ~80 suspected findings under verification
11
provider security teams contacted under the 60-day CVD window
~9
fast passive checks in the free automated scan (security headers, redirects, cookie flags, exposed files)
0
victim names published anywhere on this site

Week 1 (May 19-22): Attack-surface scanner battery

A scan across hosts in DeFi, Fortune 500, healthcare, fintech, government, and major SaaS platforms. Routed via Immunefi, HackerOne, CERT-IL, CERT-MX, JPCERT, BSI, and direct security@ contacts.

🔴 44 HIGH · 81 MEDIUM · 116 LOW

Frontend source code leaks

Initial scan surfaced 292 hosts serving .js.map sourcemap files. After content-quality validation (does the bundle actually reveal customer code, or is it just vendor library boilerplate?), the honest breakdown:

  • 44 HIGH: significant custom code + internal API endpoints revealed
  • 81 MEDIUM: custom code revealed but no clear endpoints
  • 116 LOW: mostly Stencil / React / framework boilerplate (no real impact)
  • 45 EMPTY: stub files or framework-only content, reclassified as non-findings

Industries observed in HIGH tier: DeFi protocols, cross-chain bridges, sportsbook, major Fortune 500 enterprises.

🟠 33 FOUND

Spoofable enterprise email domains

Missing or weak SPF, DMARC, or DKIM at Fortune 500 enterprises, meaning attackers can send mail that appears to come from these domains. The lowest-effort phishing-enablement vector in the report.

Includes banks, retail brands, news media, and a major airline.

🔴 11 FOUND

Publicly listable cloud buckets

S3 / GCS / DigitalOcean Spaces / Wasabi buckets returning a full directory listing without authentication. Contents observed (counted only, never downloaded): regulated health records, financial records, government records, and one 280MB SQL database dump.

All disclosures routed to bucket owner + cloud-provider abuse@ desk where applicable.

🟠 14 FOUND

End-of-life software stacks (HIGH)

Production-facing services running components that no longer receive security patches from upstream. That's permanent HIGH-severity exposure until upgraded. Includes Apache 2.2.x, PHP 5.x, OpenSSL 1.0.x, and several end-of-life CMS versions.

🔴 4 FOUND

RDP / FTP / SMB exposed to internet

Protocol-handshake confirmed (not just port-open, to defeat WAF anti-recon false positives): four hosts with remote-desktop, file-transfer, or SMB services reachable directly from the public internet. Pre-ransomware indicators.

Includes one municipal government FTP server and one corporate-network golf-course system.

🟡 26 FOUND

New subdomain exposures

Subdomain enumeration surfaced web assets the org didn't realise it was hosting: deprecated apps, forgotten staging environments, unmonitored marketing landing pages. Each one is a potential attacker entry point that nobody is patching.

Anti-FP rigor: every probe in this scan used protocol-handshake confirmation (RDP nego, SMB negotiate, FTP banner, SSL handshake), vendor-fingerprint detection (WAF, Shopify GraphQL, CDN edge), and post-hoc cluster dedup. The evidence rules are documented →

Week 2 (May 23-24): AI provider + cloud credential leak hunting

Six new high-fidelity scanner modules went live: patrol-aws-keys, patrol-ai-saas-keys (32 vendor patterns), patrol-firebase, patrol-bot-tokens, patrol-gitlab, scan-buckets-massive. Each verified credential is fetched and regex-confirmed in the original source file before disclosure. All routed in bulk to provider security teams that have the customer mapping we don't. They auto-revoke and notify affected accounts.

🔴 47 LEAKED · 39 WITH PAIRED SECRET

AWS access keys in public source

Live AWS access key IDs (AKIA*) discovered in committed code on GitHub. 39 of 47 had a matching AKIASecretAccessKey in the same file, which is full-account-takeover material. Disclosed in one batch to AWS Security for auto-revoke.

Predominantly found in .tf terraform files, .travis.yml, .env files committed by students and bootcamp learners.

🔴 31 LEAKED

OpenAI API keys

Live sk-proj-* project-scoped API keys committed to public repos, mostly in Python/Node tutorial code (RAG examples, ChatGPT wrappers, study projects). Batch-disclosed to OpenAI Security. Within hours, the report was assigned to a named OpenAI engineer for triage.

🔴 21 LEAKED

HuggingFace tokens

Live hf_* user-access tokens in public repos. Often co-located with other credentials (AWS, OpenAI) in the same .env file, which suggests the same user/team has multiple credentials at risk. Batch-disclosed to HuggingFace Security.

🔴 6 LEAKED

Anthropic API keys

Live sk-ant-api03-* keys committed to public repos. Disclosed to Anthropic Security (acknowledged within seconds via auto-reply, pointing to HackerOne for any platform vulns).

🔴 105 LEAKED

Google Cloud / Firebase credentials

81 Firebase admin-SDK JSON files (full RSA private_key + client_email) on GitHub + 24 Google AI / Firebase configs on GitLab. Combined batch to Google Security, auto-acknowledged via their security-noreply system.

Predominantly student / bootcamp / hobbyist repos. Several repeat-offender accounts identified for coordinated rotation.

🟡 15 LEAKED (12 Discord + 3 Slack)

Discord + Slack webhook URLs

Live webhooks for posting arbitrary messages to chat channels without authentication. Disclosed to Discord T&S and Slack Security for owner notification + abuse-detection feedback.

🔴 46 LISTABLE BUCKETS

Anonymous-listable cloud storage

Buckets responding to anonymous GET / with a full <ListBucketResult>. Bucket names alone strongly suggest sensitive content: KYC documents, mortgages, prescriptions, loan portfolios, vault staging, WhatsApp backups, credentials-production.

  • 26 GCS → Google Cloud Trust & Safety
  • 13 DigitalOcean Spaces → DigitalOcean abuse (auto-acked)
  • 7 Wasabi → Wasabi security

Bucket contents were never listed. We only verified the listing permission exists. Providers identify the owner from internal records.

🔴 19 VERIFIED TAKEOVERS

Subdomain takeover candidates

Subdomains of bug-bounty-eligible programs with dangling DNS records pointing to unclaimed Vercel / Fastly / Heroku / Unbounce / CloudFront resources. Anyone could register the dangling resource and serve attacker content at a high-trust subdomain.

Disclosed individually to each affected program's security team (10+ Fortune 500 / unicorn / major-SaaS bug-bounty programs across crypto, fintech, retail, payments, AI-tooling, hosting, and travel). One human-engineer reply received within hours; multiple auto-acks from established programs. We never registered any dangling resource. Fingerprint match only, per industry standard (subjack / can-i-take-over-xyz / nuclei takeover templates).

🟠 2 EXPOSED

phpinfo.php exposures

Public phpinfo.php pages on production sites leaking full PHP server configuration, file paths, loaded modules, and environment variables. Both running end-of-life PHP versions (7.3.x and 7.4.x). Disclosed to site owners directly.

The anti-FP rigor that's actually the product

Scanners are easy to write. Scanners that don't burn researcher credibility on false positives are hard. Every false-positive class we encounter becomes a permanent filter rule in the codebase. The catalogue grew from 13 to 16 classes this week.

FP CLASS #14

HEAD response Content-Type trust bypass

Some servers (Cloudflare, SPA shells) return CT=text/plain on HEAD but text/html body on GET. Filters gated on HEAD's CT never engaged, so phantom "exposed debug endpoint" findings shipped. Fix: always fetch the body, never trust HEAD's CT.

FP CLASS #15

Intentional public infrastructure endpoints

Endpoints like /health, /api/health, /ready, /ping are public by design (Spring Actuator, k8s probes, ALB checks). Scanner now allow-lists these instead of flagging them. The deeper endpoints like /actuator/env still get caught.

FP CLASS #16

WAF block-pages that return HTTP 200

F5 BIG-IP / Imperva / Cloudflare / Akamai sometimes return 200 with a "Request Rejected" body instead of 403. Scanner saw the 200 and flagged "admin panel exposed." Fix: regex on known WAF block-page signatures, classify as WAF-BLOCKED-FP.

Real example of the impact: the admin-panels scanner pre-fix returned 818 findings on a 507-host corpus, near 100% false positives from SPA fallbacks, catchall APIs, and WAF blocks. Post-fix, the same FP-fixed scanner returns 0 findings on the same 6-host test corpus, which is correct, since none of those hosts genuinely had exposed admin panels. The work that didn't go into a disclosure email is the most valuable work we did this week.

The first confirmed fix

May 18, 2026 · a disclosed GitHub project (identity redacted) · 22 hours after disclosure

“Thanks. Now it is fixed.”

the maintainer of a disclosed open-source project

Our scanner flagged a pull_request_target workflow that checked out the PR’s head SHA, the classic GitHub Actions RCE pattern. We sent a private contact-request with no public details. The maintainer replied 22 hours later with the fix already merged. Zero back-and-forth. This is exactly the loop Lictor was built for.

When we were wrong

Because being honest about our mistakes is the only way to keep the trust we built.

On May 17, our scanner flagged 8 Israeli sites as having a painted-lock /admin page (page returns content before redirecting to login). We sent contact-requests to all 8.

Then we ran a stricter verifier. All 8 were false positives. The sites were behind WAFs (Radware, Cloudflare) or were Next.js SPAs returning the same HTML shell for any path. Both look like "admin loads without login" to a naive scanner.

We retracted all 8 issues publicly within 30 minutes (apology comment plus closed as “not planned”) and shipped a verifier upgrade (WAF detection + content-type check + non-redirect-follow) the same hour. The full retraction template:

“On re-verification with stricter heuristics, this report appears to be a false positive from our scanner… This is a bug in our scanner. We’re closing this issue and fixing the detection logic so it doesn’t happen again. Sorry for the noise. I appreciate you being patient with an automated outreach tool that’s clearly still learning its job. Voice + accuracy are the product; today this report failed on accuracy.”

Net result: 8 maintainers spent <5 minutes each, none were embarrassed, our voice promise held. We’d rather eat the apology than ship the lie.

Disclosures sent (so far)

Verified, manually triaged, and contacted via responsible disclosure. Full details kept private until the maintainer rotates or 30 days pass.

8
confirmed vulnerabilities (with working PoCs) in named open-source AI projects, plus ~80 suspected findings under verification
9
distinct vulnerability classes scanned (Firebase, DB-creds, PR-target RCE, 6 SaaS-key types, HF Spaces, PyPI)
3
GitHub Security Advisories filed
1
confirmed fix received from a maintainer (“Thanks. Now it is fixed”)

Aggregate reports published monthly at /transparency.

Notable targets contacted

  • 🔹 kubevela/terraform-controller: 162★ CNCF-adjacent infra · Firebase service-account exposure
  • 🔹 dotnet/macios: 2,861★ Microsoft .NET MAUI iOS/macOS bindings · PR-target RCE
  • 🔹 sigma67/ytmusicapi: 2,694★ YouTube Music API client · PR-target RCE (mitigated by contributor approval)
  • 🔹 prusa3d/Prusa-Firmware: 2,108★ 3D printer firmware · PR-target RCE
  • 🔹 liquibase/liquibase: 5,501★ enterprise Java DB migration tool · PR-target RCE
  • 🔹 langwatch/langwatch: 3,258★ LLM observability · PR-target RCE (acknowledged)
  • 🔹 HaiMengg/WNC-InternetBanking-BE: internet banking backend · Firebase service-account
  • 🔹 Invention-Minds/Hospital-Admin-Panel-Backend: healthcare admin · Firebase service-account

Full disclosure list available privately on request. We keep details out of public view until maintainers rotate.