In the wild.
What we've found. What's shipping next.
Every disclosure Lictor has sent to a maintainer, every scanner we've built, and the honest roadmap of what's coming, including the surfaces we haven't covered yet.
What's shipped
Live scanners running today, finding bugs in real AI-generated code.
🌐 Web app scanner
URL-based audit for any deployed site. Catches leaked secrets, exposed DBs, painted-lock admin routes, open CORS, unsigned webhooks, prompt-injection surfaces.
Run a scan →🛠 Claude Code skill suite
/lictor-security-check + /lictor-fix-it + /lictor-explain + /lictor-rotate. Runs locally inside any project.
Install →🔍 Patrol auto-scanner
Continuous discovery of vibe-coded repos with hardcoded secrets: Supabase service-role JWTs, Firebase service-account JSONs, DB creds, bot tokens, GitHub Actions RCE patterns. 8 confirmed vulnerabilities (with working PoCs) in named open-source AI projects like HuggingFace transformers and cognita, plus ~80 suspected findings under verification. One has a confirmed maintainer fix in 24 hours.
Runs as hosted monitoring →Coming next, in development
The honest roadmap. No "shipping Q4 2027" theatre. These are the surfaces we're actively building scanners for.
📱 Mobile (iOS + Android) · soon
Static analysis on .ipa / .apk bundles + AI-generated Swift/Kotlin source. Catches API keys shipped in the bundle, insecure local storage, WebView ↔ JS bridge holes, missing cert pinning, excessive manifest permissions.
🧩 Browser-extension scanner
Manifest v3 audit for AI-generated Chrome / Firefox extensions. Catches over-permissive host-permissions, content-script injection holes, message-passing without origin checks.
⚙️ CI/CD pipeline audit
GitHub Actions + GitLab CI workflow scanning. Catches the classic pull_request_target + checkout-PR-head RCE pattern, secrets in workflow logs, branch-protection bypass via unprotected paths.
🖥 Desktop apps (Tauri / Electron)
For AI-built native shells. Audits IPC bridge exposure, nodeIntegration leaks, file-system access scopes, auto-updater signing.
🛰 MCP server audit
For the Model Context Protocol ecosystem. Catches tool-description prompt injection, unauthenticated tool exposure, schema-validation bypass.
What we’re actually finding
Real examples from what we’ve found, anonymised where the maintainer hasn’t publicly responded. The patterns repeat across every vibe-coding tool.
Firebase service-account JSONs
The single most common vibe-coded mistake. The full private_key + private_key_id for a real Google Cloud service account, committed to a public repo. Grants full project access until manually rotated.
GitHub Actions pull_request_target RCE
Workflow checks out the PR's head SHA (attacker-controlled code) with access to repo secrets. Classic supply-chain attack vector. Found in Microsoft .NET MAUI bindings (2.8k★), prusa3d/Prusa-Firmware (2.1k★), liquibase (5.5k★), langwatch (3.3k★), and 10 more.
DB connection strings with passwords
Live postgres://user:password@host/db or mongodb+srv://... connection strings in .env.production files committed to public source. Filtered out localhost / private IPs / placeholder passwords. Only real-host real-credential cases get contacted.
SaaS API keys (Mailchimp · Twilio · etc)
Hardcoded Mailchimp keys (list-takeover risk), Twilio Account SID + Auth Token pairs (SMS spend takeover, since bots scrape GitHub for exactly this combo). One Twilio finding in an active multi-user whiteboard app.
LLM keys in HuggingFace Spaces
Hardcoded Google Gemini / Groq API keys in the public app.py of HF Spaces, including an active immigration-assistance chatbot. HF Spaces are public source by design; anyone with the URL can read the key out.
API keys in published PyPI packages
One Python AI-wrapper package (zohencel-ai) ships with two hardcoded Groq keys across multiple files. pip install the package and the keys are right there. Bots scrape PyPI tarballs for exactly this.
External attack-surface scanning, May 2026
We've audited AI apps and the open-source tools they're built on. Every finding was disclosed privately by email to the affected organisation or cloud provider under the 60-day Coordinated Vulnerability Disclosure norm. Zero victim names published. Only finding categories and counts.
Week 1 (May 19-22): Attack-surface scanner battery
Frontend source code leaks
Initial scan surfaced 292 hosts serving .js.map sourcemap files. After content-quality validation (does the bundle actually reveal customer code, or is it just vendor library boilerplate?), the honest breakdown:
- 44 HIGH: significant custom code + internal API endpoints revealed
- 81 MEDIUM: custom code revealed but no clear endpoints
- 116 LOW: mostly Stencil / React / framework boilerplate (no real impact)
- 45 EMPTY: stub files or framework-only content, reclassified as non-findings
Spoofable enterprise email domains
Missing or weak SPF, DMARC, or DKIM at Fortune 500 enterprises, meaning attackers can send mail that appears to come from these domains. The lowest-effort phishing-enablement vector in the report.
Publicly listable cloud buckets
S3 / GCS / DigitalOcean Spaces / Wasabi buckets returning a full directory listing without authentication. Contents observed (counted only, never downloaded): regulated health records, financial records, government records, and one 280MB SQL database dump.
End-of-life software stacks (HIGH)
Production-facing services running components that no longer receive security patches from upstream. That's permanent HIGH-severity exposure until upgraded. Includes Apache 2.2.x, PHP 5.x, OpenSSL 1.0.x, and several end-of-life CMS versions.
RDP / FTP / SMB exposed to internet
Protocol-handshake confirmed (not just port-open, to defeat WAF anti-recon false positives): four hosts with remote-desktop, file-transfer, or SMB services reachable directly from the public internet. Pre-ransomware indicators.
New subdomain exposures
Subdomain enumeration surfaced web assets the org didn't realise it was hosting: deprecated apps, forgotten staging environments, unmonitored marketing landing pages. Each one is a potential attacker entry point that nobody is patching.
Anti-FP rigor: every probe in this scan used protocol-handshake confirmation (RDP nego, SMB negotiate, FTP banner, SSL handshake), vendor-fingerprint detection (WAF, Shopify GraphQL, CDN edge), and post-hoc cluster dedup. The evidence rules are documented →
Week 2 (May 23-24): AI provider + cloud credential leak hunting
AWS access keys in public source
Live AWS access key IDs (AKIA*) discovered in committed code on GitHub. 39 of 47 had a matching AKIASecretAccessKey in the same file, which is full-account-takeover material. Disclosed in one batch to AWS Security for auto-revoke.
OpenAI API keys
Live sk-proj-* project-scoped API keys committed to public repos, mostly in Python/Node tutorial code (RAG examples, ChatGPT wrappers, study projects). Batch-disclosed to OpenAI Security. Within hours, the report was assigned to a named OpenAI engineer for triage.
HuggingFace tokens
Live hf_* user-access tokens in public repos. Often co-located with other credentials (AWS, OpenAI) in the same .env file, which suggests the same user/team has multiple credentials at risk. Batch-disclosed to HuggingFace Security.
Anthropic API keys
Live sk-ant-api03-* keys committed to public repos. Disclosed to Anthropic Security (acknowledged within seconds via auto-reply, pointing to HackerOne for any platform vulns).
Google Cloud / Firebase credentials
81 Firebase admin-SDK JSON files (full RSA private_key + client_email) on GitHub + 24 Google AI / Firebase configs on GitLab. Combined batch to Google Security, auto-acknowledged via their security-noreply system.
Discord + Slack webhook URLs
Live webhooks for posting arbitrary messages to chat channels without authentication. Disclosed to Discord T&S and Slack Security for owner notification + abuse-detection feedback.
Anonymous-listable cloud storage
Buckets responding to anonymous GET / with a full <ListBucketResult>. Bucket names alone strongly suggest sensitive content: KYC documents, mortgages, prescriptions, loan portfolios, vault staging, WhatsApp backups, credentials-production.
- 26 GCS → Google Cloud Trust & Safety
- 13 DigitalOcean Spaces → DigitalOcean abuse (auto-acked)
- 7 Wasabi → Wasabi security
Subdomain takeover candidates
Subdomains of bug-bounty-eligible programs with dangling DNS records pointing to unclaimed Vercel / Fastly / Heroku / Unbounce / CloudFront resources. Anyone could register the dangling resource and serve attacker content at a high-trust subdomain.
phpinfo.php exposures
Public phpinfo.php pages on production sites leaking full PHP server configuration, file paths, loaded modules, and environment variables. Both running end-of-life PHP versions (7.3.x and 7.4.x). Disclosed to site owners directly.
The anti-FP rigor that's actually the product
HEAD response Content-Type trust bypass
Some servers (Cloudflare, SPA shells) return CT=text/plain on HEAD but text/html body on GET. Filters gated on HEAD's CT never engaged, so phantom "exposed debug endpoint" findings shipped. Fix: always fetch the body, never trust HEAD's CT.
Intentional public infrastructure endpoints
Endpoints like /health, /api/health, /ready, /ping are public by design (Spring Actuator, k8s probes, ALB checks). Scanner now allow-lists these instead of flagging them. The deeper endpoints like /actuator/env still get caught.
WAF block-pages that return HTTP 200
F5 BIG-IP / Imperva / Cloudflare / Akamai sometimes return 200 with a "Request Rejected" body instead of 403. Scanner saw the 200 and flagged "admin panel exposed." Fix: regex on known WAF block-page signatures, classify as WAF-BLOCKED-FP.
Real example of the impact: the admin-panels scanner pre-fix returned 818 findings on a 507-host corpus, near 100% false positives from SPA fallbacks, catchall APIs, and WAF blocks. Post-fix, the same FP-fixed scanner returns 0 findings on the same 6-host test corpus, which is correct, since none of those hosts genuinely had exposed admin panels. The work that didn't go into a disclosure email is the most valuable work we did this week.
The first confirmed fix
May 18, 2026 · a disclosed GitHub project (identity redacted) · 22 hours after disclosure
“Thanks. Now it is fixed.”
the maintainer of a disclosed open-source project
Our scanner flagged a pull_request_target workflow that checked out the PR’s head SHA, the classic GitHub Actions RCE pattern. We sent a private contact-request with no public details. The maintainer replied 22 hours later with the fix already merged. Zero back-and-forth. This is exactly the loop Lictor was built for.
When we were wrong
Because being honest about our mistakes is the only way to keep the trust we built.
On May 17, our scanner flagged 8 Israeli sites as having a painted-lock /admin page (page returns content before redirecting to login). We sent contact-requests to all 8.
Then we ran a stricter verifier. All 8 were false positives. The sites were behind WAFs (Radware, Cloudflare) or were Next.js SPAs returning the same HTML shell for any path. Both look like "admin loads without login" to a naive scanner.
We retracted all 8 issues publicly within 30 minutes (apology comment plus closed as “not planned”) and shipped a verifier upgrade (WAF detection + content-type check + non-redirect-follow) the same hour. The full retraction template:
“On re-verification with stricter heuristics, this report appears to be a false positive from our scanner… This is a bug in our scanner. We’re closing this issue and fixing the detection logic so it doesn’t happen again. Sorry for the noise. I appreciate you being patient with an automated outreach tool that’s clearly still learning its job. Voice + accuracy are the product; today this report failed on accuracy.”
Net result: 8 maintainers spent <5 minutes each, none were embarrassed, our voice promise held. We’d rather eat the apology than ship the lie.
Disclosures sent (so far)
Verified, manually triaged, and contacted via responsible disclosure. Full details kept private until the maintainer rotates or 30 days pass.
Aggregate reports published monthly at /transparency.
Notable targets contacted
- 🔹 kubevela/terraform-controller: 162★ CNCF-adjacent infra · Firebase service-account exposure
- 🔹 dotnet/macios: 2,861★ Microsoft .NET MAUI iOS/macOS bindings · PR-target RCE
- 🔹 sigma67/ytmusicapi: 2,694★ YouTube Music API client · PR-target RCE (mitigated by contributor approval)
- 🔹 prusa3d/Prusa-Firmware: 2,108★ 3D printer firmware · PR-target RCE
- 🔹 liquibase/liquibase: 5,501★ enterprise Java DB migration tool · PR-target RCE
- 🔹 langwatch/langwatch: 3,258★ LLM observability · PR-target RCE (acknowledged)
- 🔹 HaiMengg/WNC-InternetBanking-BE: internet banking backend · Firebase service-account
- 🔹 Invention-Minds/Hospital-Admin-Panel-Backend: healthcare admin · Firebase service-account
Full disclosure list available privately on request. We keep details out of public view until maintainers rotate.