I have a few hobby projects I vibecoded in 2025 and haven't revisited since React2Shell came out.
Hetzner keeps sending me security alerts. My servers were exposed. Environment variables stolen. Bots grabbing credentials.
GitHub and Anthropic have clearly synchronized their security mechanisms, which is both reassuring and humbling.
Here's the real lesson: if you vibecoded projects in 2025 with React2Shell, you're almost certainly exposed. Bots have likely already grabbed your environment variables. You probably need to roll some keys.
This is the dark side of "code first, ask questions later." When you're in pure flow state, generating code fast, testing locally, deploying quickly — security often becomes an afterthought.
The good news: the ecosystem is catching the problems. GitHub is detecting patterns. Anthropic is hardening the models against injection. Tools are getting better at catching mistakes.
The bad news: if you shipped something in the early vibecoding days, audit it now. Roll your secrets. Lock down your infrastructure.
This is how we learn. By shipping fast, finding the problems, and fixing them. The next generation of vibecoded projects will be more secure, informed by all the mistakes this wave of developers made.
Part of the #100DaysToOffload documenting agentic development in 2026