We Warned You. They Showed Up Anyway.
Four threat actors probed our new server within hours of launch. Here’s exactly what they were looking for — and why vibe-coded apps are handing it to them.
By Tom Raef, Founder — We Watch Your Website May 25, 2026
We launched a new server this week.
Not a WordPress site. A code analysis server — the infrastructure behind our vibe-coded app vulnerability analyzer. Clean install. No legacy software. No WordPress at all.
Within hours, four separate threat actors had already found it and were running automated credential harvesting sweeps against it.
We watched it happen in real time. We logged everything. And it confirmed exactly what we’ve been saying for months: the attackers are ready. The question is whether the developers are.
What We Saw
Here’s the raw data from our Nginx access logs on May 25, 2026 — the day the server went live publicly.
| Time | IP | Organization | Requests | Campaign |
|---|---|---|---|---|
| 07:00 | 192.253.248.169 | Secure Internet LLC (UK) | 61 | .env sweep |
| 09:00 | 66.198.225.21 | SKN Subnet & Telecom | 111 | .env + config sweep |
| 14:00 | 80.94.95.211 | UNMANAGED-LTD (GB) | 61 | .env sweep |
| 17:00 | 52.159.227.196 | Microsoft Azure | 28 | .env + API probe |
Four actors. Four separate hour-long campaigns. All automated. All within the same day.
The Microsoft Azure hit deserves a moment. That is not a script kiddie running a tool from their basement. That is someone paying for cloud infrastructure specifically to run credential harvesting operations. Organized. Funded. Systematic.
What They Were Looking For
Here are the exact paths they probed, ranked by frequency:
14 /.env 8 /config.json 6 /.git/config 5 /settings.json 4 /.env.production 4 /.env.example 4 /appsettings.json 3 /credentials.json 3 /config/.env 2 /.vscode/sftp.json 2 /test/.env 2 /staging/.env 2 /smtp.json 2 /server/.env 2 /secrets.json 2 /portal/.env 2 /package.json 2 /nodemailer.config.js 2 /mail.json 2 /laravel/.env 2 /.env.staging 2 /.env.prod 2 /.env.development 2 /dev/.env 2 /demo/.env 2 /crm/.env 2 /core/.env 2 /bot/.env 2 /backend/.env 2 /app/.env 2 /api/.env 2 /API/.env 2 /admin/.env
Look at the sophistication of that list. This is not a single /.env probe. This is a comprehensive wordlist that covers every subdirectory pattern a vibe-coded application might use.
/bot/.env. /crm/.env. /api/.env. /backend/.env. /laravel/.env.
Someone built this wordlist by studying how AI code generators structure projects. They know that when a developer uses Lovable, Replit, Base44, or Bolt to spin up an app, the .env file ends up in a predictable location. They’ve done their homework. They’ve automated the harvest.
Why This Matters for Vibe-Coded Apps
We have been running our vibe-coded app vulnerability analyzer since early 2026. We have scanned 2,096 AI-generated applications across every major platform — Lovable, v0, Replit, Bolt, Base44, and Rork.
72.8% contained at least one exploitable vulnerability.
One of the most common findings: hardcoded secrets and API keys in .env files — or worse, committed directly to source code where they end up in public GitHub repositories.
When a developer builds an app with an AI assistant, the AI generates an .env.example file and tells the developer to fill in their secrets. What it doesn’t tell them:
- Many deployment platforms inadvertently serve
.envfiles as static assets - AI-generated Docker configurations sometimes copy
.envinto the container image - Vite and other bundlers can expose environment variables in client-side bundles if
VITE_prefixes are misused .env.production,.env.staging, and.env.developmentall get probed — because developers create all three
The attackers running these sweeps know this. That wordlist is not random. It is a map of every mistake AI tools make when generating deployment configurations.
The Timeline Is Getting Shorter
When we started this research, our hypothesis was that vibe-coded apps would be found and exploited — but that there would be a lag between deployment and attack. Attackers would need time to find new apps, enumerate their technology stack, identify vulnerabilities.
The data is collapsing that assumption.
New infrastructure gets swept within hours. Credential probes are fully automated. The attackers are not waiting for a specific target — they are running continuous sweeps across the entire internet, collecting every exposed secret they can find, and monetizing them later.
Your .env file does not need to be interesting. It just needs to be exposed.
What You Should Do Right Now
If you have deployed a vibe-coded application — built with any AI assistant on any platform — assume it has been probed. Then verify:
1. Check your web server logs
grep -E "\.(env|git|config|json)" /var/log/nginx/access.log | awk '{print $1, $7}' | sort | uniq -c | sort -rn
If you see hits on .env paths, the probes have already found you.
2. Verify your .env is not publicly accessible
curl -I https://yourdomain.com/.env
A 200 response means your secrets are exposed. Right now.
3. Check your Nginx or Apache config Make sure static file serving does not include your project root. .env files should never be in a web-accessible directory.
4. Rotate any secrets that may have been exposed API keys, database credentials, JWT secrets. If there is any possibility they were served, treat them as compromised.
5. Scan your code before your next deployment Our analyzer runs eight stages of automated analysis including secrets detection, dependency auditing, and LLM deep review. The free scan takes under five minutes.
Run a free scan at analyzer.wewatchyourwebsite.com
We Said This Was Coming
In March 2026 we published our research on vibe-coded app vulnerabilities. We analyzed 2,096 real-world applications. We documented the patterns. We built the tools to detect them.
The attackers were already building theirs.
The gap between “AI writes your code” and “attacker harvests your credentials” is now measured in hours, not weeks. The wordlists are comprehensive. The infrastructure is cloud-funded. The sweeps are continuous.
We are not writing this to say we told you so.
We are writing this because the next wave is already running — and most of the apps in its path were built by developers who had no idea what they were shipping.
We Watch Your Website has protected over 2.9 million WordPress sites since 2007 and has removed malware from over 8 million sites. Our vibe-coded app analyzer is available at analyzer.wewatchyourwebsite.com. For platform and API integrations, contact us at traef@wewatchyourwebsite.com/partners.
