Shadow Builders: 2,000+ Vibe-Coded Apps Expose Corporate Data

Security researchers at Red Access have uncovered a alarming trend in enterprise data exposure through what they term the 'Shadow Builders' phenomenon. In a comprehensive investigation, the team identified more than 380,000 publicly accessible web assets across leading AI-driven development platforms, with approximately 5,000 appearing corporate in nature. Of these, over 2,000 were found to contain sensitive corporate, operational, or personal data, completely exposed on the open internet without basic access controls. Many of these applications were granting administrative access by default to anyone who accessed the URL, creating immediate and severe security risks across six continents and virtually every industry vertical. Organizations can check if their corporate emails have been compromised in similar breaches using our email breach checker.

The core issue stems from 'vibe coding'—AI-driven development platforms that enable non-technical employees to build functional applications through natural language descriptions. Marketing managers create campaign trackers connected to business intelligence platforms, operations teams build vendor-intake forms linked to ticketing systems, and finance departments construct board-prep dashboards pulling invoice data—all without involving IT or security teams. These applications frequently integrate directly with sanctioned production systems including CRMs, ERPs, and BI platforms, then get published to the open internet with whatever access controls the builder happened to configure. Often, that means none at all. The platforms themselves facilitate this rapid development without implementing adequate governance mechanisms for the artifacts being created and deployed.

Unlike traditional Shadow IT—where unsanctioned SaaS tools at least maintained identity controls, audit logs, and some governance surface—Shadow Builders invert every security assumption. The application is custom-built, the data is custom-loaded, the integrations are direct connections to production systems of record, and the artifact sits publicly accessible on the internet. Organizations conducting due diligence can use our WHOIS lookup tool to investigate domains associated with these shadow applications and identify potential exposures. Meanwhile, security teams should verify that any externally-facing applications maintain proper SSL/TLS configuration using our SSL/TLS checker to prevent man-in-the-middle attacks on these hastily-deployed tools.