CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Cybercriminals exploit Lovable vibe coding service for malicious websites

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Cybercriminals have been abusing Lovable, a generative AI-powered vibe coding platform, to create malicious websites for phishing attacks, crypto scams, and other threats. Since February, tens of thousands of Lovable URLs have been detected in malicious activities, including MFA phishing kits, malware distribution, and credential harvesting. Lovable has responded by implementing new security measures and taking down hundreds of malicious domains. Lovable, launched in late 2024, has seen rapid adoption by cybercriminals due to its ease of use and effectiveness in creating convincing websites. Proofpoint researchers have observed multiple campaigns leveraging Lovable to distribute various types of malware and phishing kits. The platform's AI capabilities allow low-skill attackers to create effective malicious sites quickly. In response to these threats, Lovable has introduced Security Checker 2.0, an AI-powered platform safety program, and real-time detection of malicious site creation to block malicious projects and enhance security. Despite these measures, Guardio Labs confirmed that Lovable can still be used to create malicious sites as of August 2025.

Timeline

  1. 21.08.2025 01:11 πŸ“° 1 articles Β· ⏱ 26d ago

    Lovable implements real-time detection and additional security measures

    Lovable introduced real-time detection of malicious site creation in July and plans to introduce additional protections this fall. Despite these measures, Guardio Labs confirmed that Lovable can still be used to create malicious sites as of August 2025. Lovable's support and safety team took down over 300 sites that violated their policies in the past two weeks alone.

    Show sources
    Open in new tab
  2. 21.08.2025 00:00 πŸ“° 2 articles Β· ⏱ 26d ago

    Proofpoint identifies Lovable vibe coding service abuse in malicious campaigns

    Cybercriminals have been exploiting Lovable, a generative AI-powered vibe coding platform, to create malicious websites for phishing attacks and crypto scams. Since February, tens of thousands of Lovable URLs have been detected in malicious activities, including MFA phishing kits, malware distribution, and credential harvesting. Lovable has responded by implementing new security measures and taking down hundreds of malicious domains. The Tycoon phishing-as-a-service platform was used in a large-scale operation leveraging Lovable to harvest user credentials, MFA tokens, and session cookies. A payment and data theft campaign impersonated UPS, sending nearly 3,500 phishing emails with links to Lovable-hosted phishing sites. A cryptocurrency theft campaign impersonated the DeFi platform Aave, sending out close to 10,000 emails via SendGrid. A malware delivery campaign distributed the remote access trojan zgRAT using Lovable-hosted links.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.

Open in new tab

Increased browser targeting by threat actors

Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Open in new tab

GhostRedirector Campaign Targets Windows Servers with Rungan and Gamshen

A threat cluster named GhostRedirector has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam. The attacks deployed a passive C++ backdoor called Rungan and an IIS module named Gamshen. The threat actor has been active since at least August 2024. The primary goal of the attacks is to manipulate search engine results to boost the ranking of specific websites, including gambling sites. The campaign targets various sectors, including education, healthcare, insurance, transportation, technology, and retail. Initial access is gained through an SQL injection vulnerability, followed by the use of PowerShell to deliver additional tools. The threat actor is assessed with medium confidence to be China-aligned.

Open in new tab

Malicious link spreading via Grok AI on X

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links. They hide links in the 'From:' metadata field of video ads, which Grok then reveals when queried, boosting the links' credibility and reach. This technique, dubbed 'Grokking,' leads users to various scams and malware. The abuse leverages Grok's trusted status on X, amplifying the reach of malicious ads to millions of users. Potential solutions include scanning all fields, blocking hidden links, and enhancing Grok's context sanitization to filter and check links against blocklists. The technique involves using adult content as bait to attract users. The links direct users to sketchy ad networks, pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content. The domains are part of the same Traffic Distribution System (TDS). Hundreds of accounts have been engaging in this behavior over the past few days, posting non-stop until they get suspended. Grok's internal security mechanisms are less robust compared to its competitors, making it vulnerable to prompt injection attempts. X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.

Open in new tab