What they don't tell you about vibe coding: • Moltbook exposed 1.5M auth tokens. The owner hadn't written a single line of code. • Tea App leaked 72,000 government IDs. The database was just open, no sophisticated hack needed. • A researcher took control of a journalist's computer through her own vibe-coded game, without a single click. The code ran fine in all three cases, tests passed, reviews looked clean, and nothing raised a flag. That's the problem nobody is talking about. Teams are shipping faster than ever. AI writes the code. CI catches build failures. Tests catch regressions. Observability catches outages. But nobody is asking the one question that actually matters: What can an attacker do with this, right now? Because the bottleneck is no longer writing code. It's understanding what that code actually exposes once it's live. PR reviews miss auth edge cases. Unit tests don't probe broken access control. Staging environments don't simulate adversarial behavior. And business logic flaws look completely fine until someone decides to break them on purpose. Strix is an open-source tool that fills this gap. It reviews your running app the way an attacker would: - Crawls the app and maps every exposed route and flow - Probes abuse paths dynamically, not just at build time - Returns findings with proof-of-concepts and suggested fixes Strix was benchmarked against 200 real companies and open-source repos, where it found 600+ verified vulnerabilities including assigned CVEs. ...