Public story · 2026-02-26 · source-backed
Moltbook: The Canonical Vibe-Coded Security Failure
Story
Wiz disclosed that Moltbook, a social network for AI agents, exposed 1.5M API authentication tokens, 35,000 email addresses, and private agent messages through a misconfigured Supabase database. The vulnerability: a Supabase API key exposed in client-side JavaScript granting full read/write access to the entire production database. Founder Matt Schlicht publicly confirmed he "didn't write one line of code." The UK's professional accounting body ICAEW published an analysis citing Moltbook as evidence that vibe coding security risks are now a mainstream professional governance concern.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / What happened next
Karpathy Retires "Vibe Coding," Coins "Agentic Engineering" — and the Security Data Proves Why
Both cover Moltbook, Supabase; overlapping topics (agent, code, coding, security, write); picks up the Moltbook thread on 2026-03-11.
Shared entity: Supabase / Shared topic / What happened next / Tension
Stripe Just Made Agents Real Infrastructure Citizens with Projects.dev
Both cover Supabase; overlapping topics (agent, code, coding); picks up the Supabase thread on 2026-03-27.
Shared entity: JavaScript / Shared topic / What happened next
1,400 Agent Skills, One Install Command, 36K Stars: The npm Moment for AI Workflows
Both cover JavaScript; overlapping topics (agent, code, coding, security); picks up the JavaScript thread on 2026-05-03.
Shared entity: JavaScript / Shared topic / Tension
WebMCP: Chrome's Sleeper Hit
Both cover JavaScript; overlapping topics (access, agent, client-side, code); pushes against this story (but).
Shared entity: Supabase / Shared topic / Earlier coverage
InsForge — The "Supabase for Coding Agents" (1.5K stars)
Both cover Supabase; overlapping topics (agent, code, coding, database); earlier Supabase coverage from 2026-02-23.
Shared entity: JavaScript / Shared topic / What happened next
Claude Code reportedly ships a feature-flagged-off engine that fans out to 1,000 subagents.
Both cover JavaScript; overlapping topics (agent, code, coding); picks up the JavaScript thread on 2026-06-05.
Google Ships Official Chrome DevTools MCP Server. 38,582 Stars in Days.
Both cover JavaScript; overlapping topics (agent, code, coding); picks up the JavaScript thread on 2026-05-09.
Shared entity: Supabase / Shared topic / What happened next
Lovable's $5B Vibe Coding Platform Got Breached and They Called It "Intentional Behavior"
Both cover Supabase; overlapping topics (access, coding, security); picks up the Supabase thread on 2026-04-21.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — 2026-02-26
- AI generated
- no
- Story unit
- 2026-02-26-moltbook-the-canonical-vibe-coded-security-failure
- Labels
- source-backed, canonical briefing excerpt