Background
The question I set out to answer: How do I keep moving fast with AI coding tools without quietly introducing security holes into my own projects?
I vibe-code a lot (small tools, dashboards, side quests), and the workflow has changed the threat model. The old contract was that a human read the README, picked the dependency, and ran npm install. The new one is an agent half-remembering a package and installing it on its own, often with permission prompts skipped. That is exactly how leaked credentials, self-replicating supply-chain worms (Shai-Hulud), malicious MCP servers (the Postmark MCP that BCC'd every email), and prompt-injection campaigns get in, and most people find out weeks later, when the cloud bill arrives. So I built a living tracker of the incidents that actually matter to people shipping with Cursor, Claude Code, Lovable, v0, Bolt, and Replit, paired with recovery playbooks and prevention guides, so the gap between "compromised" and "noticed" is hours instead of weeks.
How It Works
I vibe-coded it (fittingly), then spent most of the effort hardening it. It's a security resource, so it has to hold up to the same scrutiny it asks of everything else. The build is deliberately low-maintenance and keeps running on its own:
- Data sources: security researchers, vendor disclosures, and incident write-ups, distilled into one dated, sourced file per incident under
advisories/(plusplaybooks/for recovery andprevention/for hardening). Each advisory is markdown with structured frontmatter (severity, status, affected ecosystems, dates) and a concrete "am I affected?" check, so it's both human- and machine-readable. - Backend: a Python build renders the markdown into a site plus machine-readable artifacts (an
llms.txtindex, a JSON API, an Atom feed). A pytest suite of 86 checks gates every deploy (including a test that fails the build if a secret is ever committed), and GitHub Actions ships it to GitHub Pages on each push. - Self-updating: a Claude Code skill runs tiered web sweeps (deep over the last 24h, lighter over 7d) and learns over time which sources actually produce hits, querying those first on the next run.
A Look Inside
Each view shown on mobile and desktop — tap any image to open the live site.



