field note
Last article I told you Lovable left thousands of projects exposed for 48 days and called it a footnote.This one’s bigger. This one’s everyone.The vibe coding crisis was about platforms. This is about a file you’ve personally created. A file sitting in one of your repos right now. A file you never thought of as a risk because everybody told you it was the safe place to put your secrets.I’m talking about your .env file.And right now, 12 million servers are serving theirs to anyone who asks.Let’s go.The Number That Should Have Been a HeadlineIn February 2026, researchers at Mysterium VPN did something almost insultingly simple.They scanned the internet for one thing: servers that would hand over their .env file if you just asked. Type the URL, add /.env at the end, hit enter.They found 12,088,677 IP addresses doing exactly that.Not vulnerable to a clever exploit. Not breakable with a sophisticated attack. Just open. You request the file, the server gives it to you. Database passwords, API keys, JWT signing secrets, cloud tokens. The actual keys to the actual kingdom, downloadable by anyone who knows to look.The US leads with nearly 2.8 million exposed IP
< read by a human · updated as things change >
browse hackathons