A user was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account.

They accessed another user's profile, listed their public projects, and downloaded the source code of an admin panel for Connected Women in AI, a real danish nonprofit. the project was last edited 10 days ago. the developer has 3,703 edits this year. this is not abandoned. this is active.

They extracted the database credentials from the source code and queried it. got back real names, real companies, real linkedin profiles. speakers from Accenture Denmark and Copenhagen Business School. not test data. not "John Doe". real people at real companies who have no idea their information is exposed.

Lovable patched this for new projects. they never patched it for existing ones.

A project created in April 2026 returns 403 forbidden. The same developer's older project, actively edited 10 days ago, returns 200 OK with the full source tree. same API. Same endpoint. same free account. same session. one is protected. the other is wide open.

The first hackerone report was filed March 3, 2026. Lovable marked it triaged, then they shipped ownership checks for new projects and left every existing project exposed. 48 days later nothing has changed. He also claims that every conversation you have with lovable's AI is stored and readable through the same bug.

Source: weezerOSINT

A threat actor has listed their customers' data, source code, databases, and keys up for sale.

A security incident has been identified that involved unauthorized access to certain internal Vercel systems. Customers Vercel credentials were compromised.

As per Vercel, the incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attacker used that access to take over the employee's Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as “sensitive.”

Source: Vercel

Cal AI was removed because it used Stripe (via Link) for subscriptions instead of Apple's in-app purchase system.

The payment sheet showed "Pay another way" routing to external billing, which violates Apple's guidelines (3.1.1) for digital goods/subscriptions. Publicly highlighting the higher ARPU setup drew Apple's attention, leading to the takedown. It should be back after they fix it.

Meetup Agenda:

• Q&A with Cursor team​ member
• ​Cursor power users share tips & workflows
• Meet with top builders from the cities below.

Register for events below:

• Bangalore - April 25, 2026
• Chennai - May 1, 2026
• Mumbai - May 9, 2026

A peer-reviewed CMU study (ICSE 2026) found 6 million fake stars across 18,617 repositories using 301,000 accounts - with AI/LLM repos the largest non-malicious category.

The definitive account comes from a peer-reviewed study presented at ICSE 2026 by researchers at Carnegie Mellon University, North Carolina State University, and Socket. Their tool, StarScout, analyzed 20 terabytes of GitHub metadata - 6.7 billion events and 326 million stars from 2019 to 2024 - and identified approximately 6 million suspected fake stars distributed across 18,617 repositories by roughly 301,000 accounts.

The problem accelerated dramatically in 2024. By July, 16.66% of all repositories with 50 or more stars were involved in fake star campaigns - up from near-zero before 2022. The researchers' detection proved accurate: 90.42% of flagged repositories and 57.07% of flagged accounts had been deleted as of January 2025, confirming GitHub itself recognized these as illegitimate.

Key Points:

• Stars sell for $0.03 to $0.85 each on at least a dozen websites, Fiverr gigs, and Telegram channels - no dark web required
• VCs explicitly use stars as sourcing signals: Redpoint found the median star count at seed is 2,850, and firms run automated scrapers to find fast-growing repos
• An analysis sampling 150 profiles per repo across 20 projects and found repos where 36-76% of stargazers have zero followers and fork-to-star ratios 10x below organic baselines
• The FTC's 2024 rule banning fake social influence metrics carries penalties of $53,088 per violation - and the SEC has already charged startup founders for inflating traction metrics during fundraising

Source: Awesome Agents

You can now pay for Replit with UPI via Razorpay, alongside debit & credit cards.

Use Replit's Razorpay MCP to start accepting payments instantly.

Source: Replit

Nandan Reddy, co-founder of Swiggy is leaving the company and is also stepping down from the board.

Swiggy is bringing in CFO Rahul Bothra and co-founder Phani Kishan to the board as additional directors.

Reddy is expected to launch a new startup.

Group CEO Sriharsha Majety is now the only member of the founding trio still at the company. In 2013, they started logistics tech startup Bundl which became Swiggy in 2014.

CTO and co-founder Rahul Jaimini had left in 2020 for ed-tech startup Pesto.

Source: The Arc