[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"kb-article-lovable-vibe-coding-platform-exposes-48-days-of-ai-prompts-multi-tenant-kv-cache-failure-and-how-to-fix-it-en":3,"ArticleBody_xdRtxtWN9H4KBpcl6TNOTs3yCaIZ0QYRpifk3phELw":183},{"article":4,"relatedArticles":152,"locale":62},{"id":5,"title":6,"slug":7,"content":8,"htmlContent":9,"excerpt":10,"category":11,"tags":12,"metaDescription":10,"wordCount":13,"readingTime":14,"publishedAt":15,"sources":16,"sourceCoverage":54,"transparency":56,"seo":59,"language":62,"featuredImage":63,"featuredImageCredit":64,"isFreeGeneration":68,"niche":69,"geoTakeaways":72,"geoFaq":81,"entities":91},"69ea97b44d7939ebf3b76ac6","Lovable Vibe Coding Platform Exposes 48 Days of AI Prompts: Multi‑Tenant KV-Cache Failure and How to Fix It","lovable-vibe-coding-platform-exposes-48-days-of-ai-prompts-multi-tenant-kv-cache-failure-and-how-to-fix-it","## From Product Darling to Incident Report: What Happened\n\n[Lovable Vibe](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLovable_(company)) was a “lovable” AI coding assistant inside IDE-like workflows.  \nIt powered:\n\n- Autocomplete, refactors, code reviews  \n- Chat over entire repositories  \n- All backed by a shared [large language model (LLM)](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model) service\n\nThat meant routine access to:\n\n- Source code and internal libraries  \n- Git credentials and configs  \n- [PII](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPII) pasted into prompts—turning the LLM layer into a high-value attack surface when wired into internal systems.[2][3]\n\nOver 48 days, prompts, partial code, and chat histories were exposed across tenants.[3] This was a class of LLM data leak where sensitive data crosses boundaries during normal use—not a classic hacked database.[3]\n\n⚠️ **Key point:**  \nThis was a *logical isolation failure* in the LLM serving layer. A shared performance optimization (multi-tenant KV-cache) bridged tenants—similar to emerging side-channel risks in multi-tenant LLM and [AI agent](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAI_agent) systems.[6][7]\n\nAs enterprises push AI into external apps and agentic workflows (Category 3–4 maturity), these failures become more damaging.[5] Perimeter tools (firewalls, WAFs) do not see prompt-level cross-tenant leakage driven by:\n\n- Non-deterministic model behavior  \n- Shared KV-caches  \n- Internal scheduling logic[5]\n\nBusiness impact:\n\n- Customers feared their proprietary code and prompts were visible to others  \n- Confidence in Lovable Vibe’s isolation and compliance collapsed  \n- Rollouts were paused and migration plans started overnight.[3][4]\n\n💼 **Takeaway for engineering leaders**  \nThe rest of this article explains how multi-tenant KV-cache optimizations leak prompts and how to redesign architecture, code, and MLSecOps to avoid the same trust crisis.\n\n---\n\n## Inside the Blast Radius: Multi-Tenant LLM Serving and KV-Cache Risks\n\nModern LLM serving stacks aggressively optimize cost by sharing a Key-Value (KV) cache across requests. Frameworks like [vLLM](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FVLLM) and [SGLang](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FSGLang):\n\n- Reuse attention KV states for identical token prefixes  \n- Reduce computation and GPU memory  \n- Are standard in high-throughput, multi-tenant setups[7][8]\n\nResearch shows these shared caches are potent side channels. Under scheduling like [Longest Prefix Match](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLongest_prefix_match) (LPM), an attacker can infer other users’ prompts by probing the cache and measuring Time to First Token (TTFT) or response ordering—PromptPeek-style attacks.[6][7]\n\n📊 **[PromptPeek-style attack](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAftermath_of_the_September_11_attacks) in practice**[6][7][9]\n\nAn attacker can:\n\n- Train a local [LLM](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model) on the target domain to guess next tokens  \n- Send batched queries differing only in the last token, padded with dummy tokens  \n- Observe which query is prioritized (TTFT or position in batch)  \n- Confirm the hit as the victim’s next token and iterate\n\nWith reinforcement-optimized local models, these attacks become efficient enough for real-world prompt reconstruction.[6]\n\nOther work shows KV-cache sharing supports:\n\n- Direct inversion and collision-based reconstruction  \n- Semantic injection and [prompt injection](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPrompt_injection)  \n- Demonstrating how performance optimizations can turn into privacy leaks when not scoped by tenant\u002Fsecurity domain.[8]\n\nA plausible Lovable Vibe root cause: KV-cache entries and scheduling keyed only on token sequences, not `\u003Ctenant, user, session, prefix>`.[6][7] This allows:\n\n- Cross-tenant cache reuse  \n- Latency-based inference of other tenants’ prompts  \n- In extreme cases, mixed prompts and responses\n\nThis illustrates that LLMs create a *distinct* attack surface, where adversaries exploit:\n\n- Model behavior  \n- Intermediate representations (KV states, embeddings)  \n- Shared serving infrastructure—not just OS\u002Fnetwork bugs[2][4]\n\nYet >65% of organizations running ML in production lack ML-specific security strategies, so such flaws reach users undetected.[4] Agentic AI with broad internal access amplifies the impact.\n\n⚠️ **Blast radius summary**  \nA globally shared KV-cache without strong isolation lets any tenant with enough traffic and basic latency metrics infer or reconstruct others’ prompts, code, or PII.[3][6][8]\n\n---\n\n## Threat Modeling the Lovable Vibe Incident: Adversaries, Vectors, and Data Types\n\nDefenses require a concrete threat model for multi-tenant coding assistants, not generic “data breach” language.\n\n### Attacker profiles\n\nLikely adversaries:\n\n- **Malicious tenant** seeking competitors’ code or prompts  \n- **Curious insider** with access to logs, metrics, or scheduler internals  \n- **Opportunistic attacker** combining LLM-specific exploits (prompt injection, data poisoning) with standard weaknesses (misconfigured observability, exposed metrics endpoints)[2][4]\n\nOrganizations already report LLM abuse via:\n\n- Prompt injection and data exfiltration  \n- Jailbreaking and malicious code generation  \n- Misuse of plugins\u002Ftools linked to internal APIs and DBs[2][4]\n\n### Attack vectors in this case\n\nKV-cache–related vectors relevant to Lovable Vibe:\n\n- Side channels (PromptPeek-like probing via TTFT and ordering)[6][7][8]  \n- Cross-tenant prompt\u002Fresponse interleaving from mis-scoped caches  \n- Prompt injection where one tenant’s prompt alters shared model state reused in others’ sessions[6][7][8]\n\n💡 **Example**  \nAn engineer at a 30-person SaaS startup noticed autocomplete suggestions containing variable names and function headers from unknown codebases—anecdotal evidence of cross-tenant leakage before formal triage. Similar issues have been seen in public tools like ChatGPT when users paste proprietary or regulated data.[3][4]\n\n### Data at risk in coding assistants\n\nBy design, coding assistants see:\n\n- Source code and proprietary algorithms  \n- API keys and secrets in `.env` and configs  \n- Regulatory or audit docs (Markdown, specs)  \n- PII from logs or debugging examples[3][4]\n\nLLM leakage surfaces not only in outputs but also:\n\n- Logs and caches  \n- Embeddings and analytics stores  \n- Future training data\n\nThis complicates incident response, compliance, and data lifecycle governance.[3][4]\n\n### Tenant isolation as an explicit requirement\n\nLLM\u002Fagent security guidance stresses mapping data flows—from prompts to embeddings, tools, plugins, and caches—and placing controls at each exposure point.[2] In multi-tenant platforms, isolation must cover:\n\n- Datasets and training jobs  \n- Model artifacts and registries  \n- Inference services and KV-caches  \n- Agent memory and conversation stores[4]\n\nWithout a threat model covering KV-cache and prompt leakage, teams rarely deploy:\n\n- Per-tenant KV namespaces  \n- KV obfuscation  \n- Side-channel monitoring\u002Fdetection[2][8]\n\n💼 **Mini-conclusion**  \nLovable Vibe is best understood as a multi-tenant, cache-sharing LLM service. That framing clarifies *who* (tenants, projects, sessions) and *what* (code, secrets, PII, logs) must be protected from KV-cache side channels, model inversion, and privacy leaks.\n\n---\n\n## How to Architect Tenant Isolation: KV-Cache, Scheduling, and Data Paths\n\nFixing Lovable Vibe–style issues means treating KV-cache and scheduling as security-critical, not just performance features.\n\n### 1. Per-tenant KV namespaces\n\nScope every KV operation by a composite key:\n\n```text\nKVKey = hash(tenant_id, project_id, session_id, prefix_tokens)\n```\n\nNothing should be shared across mutually untrusted tenants.[6][7][8] For scale, you can scope by “security domain” (e.g., per-VPC) but never globally across customers.\n\n⚡ **Implementation sketch (pseudocode)**\n\n```python\ndef kv_lookup(tenant, project, session, prefix):\n    ns_key = f\"{tenant}:{project}:{session}\"\n    return kv_store.get(ns_key, prefix_hash(prefix))\n\ndef kv_insert(tenant, project, session, prefix, kv_state):\n    ns_key = f\"{tenant}:{project}:{session}\"\n    kv_store.set(ns_key, prefix_hash(prefix), kv_state)\n```\n\n### 2. Global vs per-tenant cache trade-offs\n\n- **Global cache**  \n  - Pros: maximal reuse, throughput  \n  - Cons: broad side-channel and data-mixing surface\n\n- **Per-tenant \u002F per-domain cache**  \n  - Pros: bounded blast radius  \n  - Cons: higher GPU memory use, more fragmentation, tighter eviction policies[7][8]\n\nFor high-security tenants, per-tenant caches are mandatory. Lower-sensitivity workloads may tolerate shared caches within a single security domain.\n\n### 3. KV obfuscation (KV-Cloak)\n\nKV-Cloak-style methods obfuscate KV states with lightweight, reversible matrix transformations before storage, reversing them only inside trusted contexts.[8]\n\n📊 **KV-Cloak-style results**  \nResearch shows these can:\n\n- Reduce reconstruction quality to near-random noise  \n- Preserve model accuracy  \n- Impose minimal performance overhead[8]\n\n### 4. Integrate into an MLSecOps architecture\n\nKV controls must live within a broader MLSecOps framework where:\n\n- Ingestion, training, and artifact storage share security policies  \n- Inference, KV-caches, vector DBs, and agent memories are first-class security assets  \n- RBAC, audit logging, and config management apply uniformly[4]\n\n### 5. Keep sensitive data out of prompts\n\nNo isolation is perfect. Evidence shows employees regularly paste regulated data into LLM tools, risking penalties such as GDPR fines.[3] Combine:\n\n- User education and UI warnings  \n- Client-side checks for obvious secrets  \n- Server-side validation and rejection of high-risk patterns[3]\n\n### 6. Prompt filtering and redaction\n\nPrompt filtering (e.g., PII detection) and output redaction complement KV isolation so that—even if protections fail—exposed data is less likely to include raw secrets or identifiers.[2][3] This supports GDPR and broader AI compliance.\n\n### 7. Treat serving and caching as critical infra\n\nHandle LLM serving and caching like databases\u002Fqueues:\n\n- Strong authz\u002Fauthn  \n- Change-managed configs  \n- Centralized logging and tamper-evident audit trails[4]\n\n💡 **Mini-conclusion**  \nTenant isolation means scoping everything—KV-caches, queues, embeddings, logs—by security domain, then layering obfuscation, filtering, and infra controls to defend against data leaks and misuse.\n\n---\n\n## Red-Teaming and Continuous Testing: Catching Leaks Before Users Do\n\nEven careful designs miss edge cases. Automated red-teaming validates your isolation assumptions under adversarial pressure.\n\n### Automated LLM red-teaming\n\nTools like DeepTeam automate LLM red-teaming for >40 vulnerability types (prompt injection, jailbreaks, PII leaks, bias, history leakage) using multiple attack techniques.[1] They:\n\n- Run locally  \n- Use LLMs to generate attacks and evaluate responses  \n- Emit JSON reports that plug into CI\u002FCD for continuous assurance and GDPR-style “72-hour rule” evidence.[1]\n\n⚡ **Minimal DeepTeam harness (conceptual)**[1]\n\n```python\nfrom deepteam import Audit\n\ndef llm_callback(prompt):\n    return my_llm_client.chat(prompt)\n\naudit = Audit(callback=llm_callback, checks=[\"pii_leak\", \"history_leak\"])\naudit.run_report(\"report.json\")\n```\n\nAs orgs move from internal prototypes to public generative AI and agentic workflows, automated security testing becomes mandatory.[5]\n\n### Lifecycle security guidance\n\nLLM and agent security guidance emphasizes:[2][4]\n\n- Mapping attack surfaces (prompts, logs, caches, plugins, tools)  \n- Adding guardrails (filters, policies, constrained tools)  \n- Monitoring interactions at runtime  \n- Defining incident response for LLM-specific behavior and data flows\n\n### A red-team playbook for multi-tenant KV-cache\n\nTo catch Lovable Vibe–style bugs:\n\n- Simulate PromptPeek-like cross-tenant attacks against your serving stack[6][7][8]  \n- Test for history leakage between sessions (unexpected context carryover)  \n- Run latency-based probes (TTFT differentials, ordering) to infer cache hits  \n- Vary tenant\u002Fproject\u002Fsession identifiers to verify namespace isolation\n\nKV-cache privacy and PromptPeek research provide concrete techniques to adapt for internal red-teaming.[6][7][8][9]\n\n📊 **Why this must be continuous**  \nModel behavior and attack methods evolve quickly. Red-team tools must track new jailbreaks, injections, and side channels.[1][8][9] Treat red-teaming as:\n\n- A recurring CI\u002FCD step  \n- An input to backlogs, threat models, and user-facing docs\n\n💼 **Mini-conclusion**  \nRegular, automated red-teaming focused on KV-cache and prompt leakage could have caught Lovable Vibe’s 48-day exposure in staging rather than after user reports.\n\n---\n\n## Incident Response, Communication, and Long-Term Governance\n\nWhen tenant isolation fails, technical fixes matter—but so do response and governance.\n\n### Immediate triage for prompt leakage\n\nOn detecting LLM prompt leakage:\n\n- Freeze or re-scope shared KV-caches to strict per-tenant boundaries  \n- Disable implicated optimizations (e.g., LPM)  \n- Rotate secrets\u002Fcredentials that may have appeared in prompts or code  \n- Snapshot logs\u002Fmetrics for forensics while limiting new exposure[3][4]\n\n### Notification and transparency\n\nIf PII or regulated data leaked, you may face breach-style notification duties under GDPR and similar regimes.[2][3]\n\n⚠️ **Communication principles**\n\n- Be precise about timeframe (e.g., 48 days), affected components (KV-cache), and data types at risk  \n- Share concrete remediation plans and timelines  \n- Avoid vague language that implies poor architectural understanding\n\n### Structured root-cause analysis\n\nRCA must span ML and traditional infra:\n\n- KV-cache design and scheduling (namespacing, reuse rules)  \n- Serving framework configs  \n- Observability\u002Flogging exposure  \n- Access controls and ML deployment practices[4][8]\n\nLLM issues like KV sharing or agent behavior typically intersect with logging, identity, and CI\u002FCD; they are not “just model bugs.”[4][8]\n\n### Governance and risk registers\n\nMature AI governance should list:\n\n- LLM data leakage and privacy leaks  \n- Prompt injection and jailbreaking  \n- KV-cache\u002Fembedding side channels  \n- Data poisoning and model drift\n\nEach item needs:\n\n- Clear ownership across security, ML, and product  \n- Documented mitigations and escalation paths[2][3]\n\nAs AI becomes more autonomous and mission-critical, the cost of trust failures like cross-tenant leaks grows, making proactive governance a differentiator.[5]\n\n### Rebuilding trust after a Lovable Vibe–style incident\n\nPlatforms in Lovable Vibe’s position should:\n\n- Publish detailed technical postmortems  \n- Share security hardening roadmaps (per-tenant caches, KV-Cloak-style defenses, robust red-teaming)  \n- Commission third-party audits focused on KV-cache leakage, prompt isolation, and data privacy controls[6][7][9]\n\n💡 **Mini-conclusion**  \nZero incidents cannot be guaranteed, but you can show you’ve applied KV-cache research, rebuilt with layered defenses, and established governance so future failures are smaller, shorter, and better contained.\n\n---\n\n## Conclusion: Turn KV-Cache Prompt Leakage into a Bounded Engineering Problem\n\nThe Lovable Vibe incident shows how a single design choice—sharing KV-cache across tenants for efficiency—can quietly break isolation and trigger a platform-wide trust crisis.[6][8]\n\nBy:\n\n- Understanding KV-cache side channels  \n- Modeling LLM-specific threats  \n- Treating serving infrastructure as part of the security perimeter\n\nengineering teams can shrink failure blast radius via:\n\n- Per-tenant or per-domain KV namespaces  \n- Obfuscation mechanisms like KV-Cloak where needed  \n- Prompt\u002Foutput filtering plus strict logging and access controls  \n- Automated red-teaming in CI\u002FCD to catch leaks before users do[1][2][4][8]\n\nIf you run a multi-tenant LLM platform, start by mapping where KV-cache, prompts, and logs cross tenant or security-domain boundaries. Then build a minimal red-team harness to probe for KV-cache leakage and prompt bleeding—before attackers or customers find it in production.[1][6][7]\n\n🚨 **Absolute length discipline**  \nDesigning for isolation, testing for leaks, and treating caching as critical infrastructure transforms “mysterious” AI failures into bounded engineering problems that IT\u002FDevOps, data science, and ML teams can systematically detect, mitigate, and govern over time.","\u003Ch2>From Product Darling to Incident Report: What Happened\u003C\u002Fh2>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLovable_(company)\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">Lovable Vibe\u003C\u002Fa> was a “lovable” AI coding assistant inside IDE-like workflows.\u003Cbr>\nIt powered:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Autocomplete, refactors, code reviews\u003C\u002Fli>\n\u003Cli>Chat over entire repositories\u003C\u002Fli>\n\u003Cli>All backed by a shared \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">large language model (LLM)\u003C\u002Fa> service\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>That meant routine access to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Source code and internal libraries\u003C\u002Fli>\n\u003Cli>Git credentials and configs\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPII\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">PII\u003C\u002Fa> pasted into prompts—turning the LLM layer into a high-value attack surface when wired into internal systems.\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Over 48 days, prompts, partial code, and chat histories were exposed across tenants.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> This was a class of LLM data leak where sensitive data crosses boundaries during normal use—not a classic hacked database.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>⚠️ \u003Cstrong>Key point:\u003C\u002Fstrong>\u003Cbr>\nThis was a \u003Cem>logical isolation failure\u003C\u002Fem> in the LLM serving layer. A shared performance optimization (multi-tenant KV-cache) bridged tenants—similar to emerging side-channel risks in multi-tenant LLM and \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAI_agent\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">AI agent\u003C\u002Fa> systems.\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>As enterprises push AI into external apps and agentic workflows (Category 3–4 maturity), these failures become more damaging.\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa> Perimeter tools (firewalls, WAFs) do not see prompt-level cross-tenant leakage driven by:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Non-deterministic model behavior\u003C\u002Fli>\n\u003Cli>Shared KV-caches\u003C\u002Fli>\n\u003Cli>Internal scheduling logic\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Business impact:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Customers feared their proprietary code and prompts were visible to others\u003C\u002Fli>\n\u003Cli>Confidence in Lovable Vibe’s isolation and compliance collapsed\u003C\u002Fli>\n\u003Cli>Rollouts were paused and migration plans started overnight.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💼 \u003Cstrong>Takeaway for engineering leaders\u003C\u002Fstrong>\u003Cbr>\nThe rest of this article explains how multi-tenant KV-cache optimizations leak prompts and how to redesign architecture, code, and MLSecOps to avoid the same trust crisis.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Inside the Blast Radius: Multi-Tenant LLM Serving and KV-Cache Risks\u003C\u002Fh2>\n\u003Cp>Modern LLM serving stacks aggressively optimize cost by sharing a Key-Value (KV) cache across requests. Frameworks like \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FVLLM\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">vLLM\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FSGLang\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">SGLang\u003C\u002Fa>:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Reuse attention KV states for identical token prefixes\u003C\u002Fli>\n\u003Cli>Reduce computation and GPU memory\u003C\u002Fli>\n\u003Cli>Are standard in high-throughput, multi-tenant setups\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Research shows these shared caches are potent side channels. Under scheduling like \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLongest_prefix_match\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">Longest Prefix Match\u003C\u002Fa> (LPM), an attacker can infer other users’ prompts by probing the cache and measuring Time to First Token (TTFT) or response ordering—PromptPeek-style attacks.\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>📊 \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAftermath_of_the_September_11_attacks\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">PromptPeek-style attack\u003C\u002Fa> in practice\u003C\u002Fstrong>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>An attacker can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Train a local \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">LLM\u003C\u002Fa> on the target domain to guess next tokens\u003C\u002Fli>\n\u003Cli>Send batched queries differing only in the last token, padded with dummy tokens\u003C\u002Fli>\n\u003Cli>Observe which query is prioritized (TTFT or position in batch)\u003C\u002Fli>\n\u003Cli>Confirm the hit as the victim’s next token and iterate\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>With reinforcement-optimized local models, these attacks become efficient enough for real-world prompt reconstruction.\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Other work shows KV-cache sharing supports:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Direct inversion and collision-based reconstruction\u003C\u002Fli>\n\u003Cli>Semantic injection and \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPrompt_injection\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">prompt injection\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Demonstrating how performance optimizations can turn into privacy leaks when not scoped by tenant\u002Fsecurity domain.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>A plausible Lovable Vibe root cause: KV-cache entries and scheduling keyed only on token sequences, not \u003Ccode>&lt;tenant, user, session, prefix&gt;\u003C\u002Fcode>.\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa> This allows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Cross-tenant cache reuse\u003C\u002Fli>\n\u003Cli>Latency-based inference of other tenants’ prompts\u003C\u002Fli>\n\u003Cli>In extreme cases, mixed prompts and responses\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This illustrates that LLMs create a \u003Cem>distinct\u003C\u002Fem> attack surface, where adversaries exploit:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Model behavior\u003C\u002Fli>\n\u003Cli>Intermediate representations (KV states, embeddings)\u003C\u002Fli>\n\u003Cli>Shared serving infrastructure—not just OS\u002Fnetwork bugs\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Yet &gt;65% of organizations running ML in production lack ML-specific security strategies, so such flaws reach users undetected.\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa> Agentic AI with broad internal access amplifies the impact.\u003C\u002Fp>\n\u003Cp>⚠️ \u003Cstrong>Blast radius summary\u003C\u002Fstrong>\u003Cbr>\nA globally shared KV-cache without strong isolation lets any tenant with enough traffic and basic latency metrics infer or reconstruct others’ prompts, code, or PII.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Threat Modeling the Lovable Vibe Incident: Adversaries, Vectors, and Data Types\u003C\u002Fh2>\n\u003Cp>Defenses require a concrete threat model for multi-tenant coding assistants, not generic “data breach” language.\u003C\u002Fp>\n\u003Ch3>Attacker profiles\u003C\u002Fh3>\n\u003Cp>Likely adversaries:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Malicious tenant\u003C\u002Fstrong> seeking competitors’ code or prompts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Curious insider\u003C\u002Fstrong> with access to logs, metrics, or scheduler internals\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Opportunistic attacker\u003C\u002Fstrong> combining LLM-specific exploits (prompt injection, data poisoning) with standard weaknesses (misconfigured observability, exposed metrics endpoints)\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Organizations already report LLM abuse via:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Prompt injection and data exfiltration\u003C\u002Fli>\n\u003Cli>Jailbreaking and malicious code generation\u003C\u002Fli>\n\u003Cli>Misuse of plugins\u002Ftools linked to internal APIs and DBs\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Attack vectors in this case\u003C\u002Fh3>\n\u003Cp>KV-cache–related vectors relevant to Lovable Vibe:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Side channels (PromptPeek-like probing via TTFT and ordering)\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Cross-tenant prompt\u002Fresponse interleaving from mis-scoped caches\u003C\u002Fli>\n\u003Cli>Prompt injection where one tenant’s prompt alters shared model state reused in others’ sessions\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💡 \u003Cstrong>Example\u003C\u002Fstrong>\u003Cbr>\nAn engineer at a 30-person SaaS startup noticed autocomplete suggestions containing variable names and function headers from unknown codebases—anecdotal evidence of cross-tenant leakage before formal triage. Similar issues have been seen in public tools like ChatGPT when users paste proprietary or regulated data.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Data at risk in coding assistants\u003C\u002Fh3>\n\u003Cp>By design, coding assistants see:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Source code and proprietary algorithms\u003C\u002Fli>\n\u003Cli>API keys and secrets in \u003Ccode>.env\u003C\u002Fcode> and configs\u003C\u002Fli>\n\u003Cli>Regulatory or audit docs (Markdown, specs)\u003C\u002Fli>\n\u003Cli>PII from logs or debugging examples\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>LLM leakage surfaces not only in outputs but also:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Logs and caches\u003C\u002Fli>\n\u003Cli>Embeddings and analytics stores\u003C\u002Fli>\n\u003Cli>Future training data\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This complicates incident response, compliance, and data lifecycle governance.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Tenant isolation as an explicit requirement\u003C\u002Fh3>\n\u003Cp>LLM\u002Fagent security guidance stresses mapping data flows—from prompts to embeddings, tools, plugins, and caches—and placing controls at each exposure point.\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa> In multi-tenant platforms, isolation must cover:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Datasets and training jobs\u003C\u002Fli>\n\u003Cli>Model artifacts and registries\u003C\u002Fli>\n\u003Cli>Inference services and KV-caches\u003C\u002Fli>\n\u003Cli>Agent memory and conversation stores\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Without a threat model covering KV-cache and prompt leakage, teams rarely deploy:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Per-tenant KV namespaces\u003C\u002Fli>\n\u003Cli>KV obfuscation\u003C\u002Fli>\n\u003Cli>Side-channel monitoring\u002Fdetection\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💼 \u003Cstrong>Mini-conclusion\u003C\u002Fstrong>\u003Cbr>\nLovable Vibe is best understood as a multi-tenant, cache-sharing LLM service. That framing clarifies \u003Cem>who\u003C\u002Fem> (tenants, projects, sessions) and \u003Cem>what\u003C\u002Fem> (code, secrets, PII, logs) must be protected from KV-cache side channels, model inversion, and privacy leaks.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>How to Architect Tenant Isolation: KV-Cache, Scheduling, and Data Paths\u003C\u002Fh2>\n\u003Cp>Fixing Lovable Vibe–style issues means treating KV-cache and scheduling as security-critical, not just performance features.\u003C\u002Fp>\n\u003Ch3>1. Per-tenant KV namespaces\u003C\u002Fh3>\n\u003Cp>Scope every KV operation by a composite key:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-text\">KVKey = hash(tenant_id, project_id, session_id, prefix_tokens)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Nothing should be shared across mutually untrusted tenants.\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa> For scale, you can scope by “security domain” (e.g., per-VPC) but never globally across customers.\u003C\u002Fp>\n\u003Cp>⚡ \u003Cstrong>Implementation sketch (pseudocode)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-python\">def kv_lookup(tenant, project, session, prefix):\n    ns_key = f\"{tenant}:{project}:{session}\"\n    return kv_store.get(ns_key, prefix_hash(prefix))\n\ndef kv_insert(tenant, project, session, prefix, kv_state):\n    ns_key = f\"{tenant}:{project}:{session}\"\n    kv_store.set(ns_key, prefix_hash(prefix), kv_state)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>2. Global vs per-tenant cache trade-offs\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Cstrong>Global cache\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Pros: maximal reuse, throughput\u003C\u002Fli>\n\u003Cli>Cons: broad side-channel and data-mixing surface\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Per-tenant \u002F per-domain cache\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Pros: bounded blast radius\u003C\u002Fli>\n\u003Cli>Cons: higher GPU memory use, more fragmentation, tighter eviction policies\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For high-security tenants, per-tenant caches are mandatory. Lower-sensitivity workloads may tolerate shared caches within a single security domain.\u003C\u002Fp>\n\u003Ch3>3. KV obfuscation (KV-Cloak)\u003C\u002Fh3>\n\u003Cp>KV-Cloak-style methods obfuscate KV states with lightweight, reversible matrix transformations before storage, reversing them only inside trusted contexts.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>📊 \u003Cstrong>KV-Cloak-style results\u003C\u002Fstrong>\u003Cbr>\nResearch shows these can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Reduce reconstruction quality to near-random noise\u003C\u002Fli>\n\u003Cli>Preserve model accuracy\u003C\u002Fli>\n\u003Cli>Impose minimal performance overhead\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>4. Integrate into an MLSecOps architecture\u003C\u002Fh3>\n\u003Cp>KV controls must live within a broader MLSecOps framework where:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Ingestion, training, and artifact storage share security policies\u003C\u002Fli>\n\u003Cli>Inference, KV-caches, vector DBs, and agent memories are first-class security assets\u003C\u002Fli>\n\u003Cli>RBAC, audit logging, and config management apply uniformly\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>5. Keep sensitive data out of prompts\u003C\u002Fh3>\n\u003Cp>No isolation is perfect. Evidence shows employees regularly paste regulated data into LLM tools, risking penalties such as GDPR fines.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> Combine:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>User education and UI warnings\u003C\u002Fli>\n\u003Cli>Client-side checks for obvious secrets\u003C\u002Fli>\n\u003Cli>Server-side validation and rejection of high-risk patterns\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>6. Prompt filtering and redaction\u003C\u002Fh3>\n\u003Cp>Prompt filtering (e.g., PII detection) and output redaction complement KV isolation so that—even if protections fail—exposed data is less likely to include raw secrets or identifiers.\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> This supports GDPR and broader AI compliance.\u003C\u002Fp>\n\u003Ch3>7. Treat serving and caching as critical infra\u003C\u002Fh3>\n\u003Cp>Handle LLM serving and caching like databases\u002Fqueues:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Strong authz\u002Fauthn\u003C\u002Fli>\n\u003Cli>Change-managed configs\u003C\u002Fli>\n\u003Cli>Centralized logging and tamper-evident audit trails\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💡 \u003Cstrong>Mini-conclusion\u003C\u002Fstrong>\u003Cbr>\nTenant isolation means scoping everything—KV-caches, queues, embeddings, logs—by security domain, then layering obfuscation, filtering, and infra controls to defend against data leaks and misuse.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Red-Teaming and Continuous Testing: Catching Leaks Before Users Do\u003C\u002Fh2>\n\u003Cp>Even careful designs miss edge cases. Automated red-teaming validates your isolation assumptions under adversarial pressure.\u003C\u002Fp>\n\u003Ch3>Automated LLM red-teaming\u003C\u002Fh3>\n\u003Cp>Tools like DeepTeam automate LLM red-teaming for &gt;40 vulnerability types (prompt injection, jailbreaks, PII leaks, bias, history leakage) using multiple attack techniques.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa> They:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Run locally\u003C\u002Fli>\n\u003Cli>Use LLMs to generate attacks and evaluate responses\u003C\u002Fli>\n\u003Cli>Emit JSON reports that plug into CI\u002FCD for continuous assurance and GDPR-style “72-hour rule” evidence.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>⚡ \u003Cstrong>Minimal DeepTeam harness (conceptual)\u003C\u002Fstrong>\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-python\">from deepteam import Audit\n\ndef llm_callback(prompt):\n    return my_llm_client.chat(prompt)\n\naudit = Audit(callback=llm_callback, checks=[\"pii_leak\", \"history_leak\"])\naudit.run_report(\"report.json\")\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>As orgs move from internal prototypes to public generative AI and agentic workflows, automated security testing becomes mandatory.\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Lifecycle security guidance\u003C\u002Fh3>\n\u003Cp>LLM and agent security guidance emphasizes:\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Mapping attack surfaces (prompts, logs, caches, plugins, tools)\u003C\u002Fli>\n\u003Cli>Adding guardrails (filters, policies, constrained tools)\u003C\u002Fli>\n\u003Cli>Monitoring interactions at runtime\u003C\u002Fli>\n\u003Cli>Defining incident response for LLM-specific behavior and data flows\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>A red-team playbook for multi-tenant KV-cache\u003C\u002Fh3>\n\u003Cp>To catch Lovable Vibe–style bugs:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Simulate PromptPeek-like cross-tenant attacks against your serving stack\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Test for history leakage between sessions (unexpected context carryover)\u003C\u002Fli>\n\u003Cli>Run latency-based probes (TTFT differentials, ordering) to infer cache hits\u003C\u002Fli>\n\u003Cli>Vary tenant\u002Fproject\u002Fsession identifiers to verify namespace isolation\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>KV-cache privacy and PromptPeek research provide concrete techniques to adapt for internal red-teaming.\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>📊 \u003Cstrong>Why this must be continuous\u003C\u002Fstrong>\u003Cbr>\nModel behavior and attack methods evolve quickly. Red-team tools must track new jailbreaks, injections, and side channels.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa> Treat red-teaming as:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A recurring CI\u002FCD step\u003C\u002Fli>\n\u003Cli>An input to backlogs, threat models, and user-facing docs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💼 \u003Cstrong>Mini-conclusion\u003C\u002Fstrong>\u003Cbr>\nRegular, automated red-teaming focused on KV-cache and prompt leakage could have caught Lovable Vibe’s 48-day exposure in staging rather than after user reports.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Incident Response, Communication, and Long-Term Governance\u003C\u002Fh2>\n\u003Cp>When tenant isolation fails, technical fixes matter—but so do response and governance.\u003C\u002Fp>\n\u003Ch3>Immediate triage for prompt leakage\u003C\u002Fh3>\n\u003Cp>On detecting LLM prompt leakage:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Freeze or re-scope shared KV-caches to strict per-tenant boundaries\u003C\u002Fli>\n\u003Cli>Disable implicated optimizations (e.g., LPM)\u003C\u002Fli>\n\u003Cli>Rotate secrets\u002Fcredentials that may have appeared in prompts or code\u003C\u002Fli>\n\u003Cli>Snapshot logs\u002Fmetrics for forensics while limiting new exposure\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Notification and transparency\u003C\u002Fh3>\n\u003Cp>If PII or regulated data leaked, you may face breach-style notification duties under GDPR and similar regimes.\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>⚠️ \u003Cstrong>Communication principles\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Be precise about timeframe (e.g., 48 days), affected components (KV-cache), and data types at risk\u003C\u002Fli>\n\u003Cli>Share concrete remediation plans and timelines\u003C\u002Fli>\n\u003Cli>Avoid vague language that implies poor architectural understanding\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Structured root-cause analysis\u003C\u002Fh3>\n\u003Cp>RCA must span ML and traditional infra:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>KV-cache design and scheduling (namespacing, reuse rules)\u003C\u002Fli>\n\u003Cli>Serving framework configs\u003C\u002Fli>\n\u003Cli>Observability\u002Flogging exposure\u003C\u002Fli>\n\u003Cli>Access controls and ML deployment practices\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>LLM issues like KV sharing or agent behavior typically intersect with logging, identity, and CI\u002FCD; they are not “just model bugs.”\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Governance and risk registers\u003C\u002Fh3>\n\u003Cp>Mature AI governance should list:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>LLM data leakage and privacy leaks\u003C\u002Fli>\n\u003Cli>Prompt injection and jailbreaking\u003C\u002Fli>\n\u003Cli>KV-cache\u002Fembedding side channels\u003C\u002Fli>\n\u003Cli>Data poisoning and model drift\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Each item needs:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Clear ownership across security, ML, and product\u003C\u002Fli>\n\u003Cli>Documented mitigations and escalation paths\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>As AI becomes more autonomous and mission-critical, the cost of trust failures like cross-tenant leaks grows, making proactive governance a differentiator.\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Rebuilding trust after a Lovable Vibe–style incident\u003C\u002Fh3>\n\u003Cp>Platforms in Lovable Vibe’s position should:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Publish detailed technical postmortems\u003C\u002Fli>\n\u003Cli>Share security hardening roadmaps (per-tenant caches, KV-Cloak-style defenses, robust red-teaming)\u003C\u002Fli>\n\u003Cli>Commission third-party audits focused on KV-cache leakage, prompt isolation, and data privacy controls\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>💡 \u003Cstrong>Mini-conclusion\u003C\u002Fstrong>\u003Cbr>\nZero incidents cannot be guaranteed, but you can show you’ve applied KV-cache research, rebuilt with layered defenses, and established governance so future failures are smaller, shorter, and better contained.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Conclusion: Turn KV-Cache Prompt Leakage into a Bounded Engineering Problem\u003C\u002Fh2>\n\u003Cp>The Lovable Vibe incident shows how a single design choice—sharing KV-cache across tenants for efficiency—can quietly break isolation and trigger a platform-wide trust crisis.\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>By:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Understanding KV-cache side channels\u003C\u002Fli>\n\u003Cli>Modeling LLM-specific threats\u003C\u002Fli>\n\u003Cli>Treating serving infrastructure as part of the security perimeter\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>engineering teams can shrink failure blast radius via:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Per-tenant or per-domain KV namespaces\u003C\u002Fli>\n\u003Cli>Obfuscation mechanisms like KV-Cloak where needed\u003C\u002Fli>\n\u003Cli>Prompt\u002Foutput filtering plus strict logging and access controls\u003C\u002Fli>\n\u003Cli>Automated red-teaming in CI\u002FCD to catch leaks before users do\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>If you run a multi-tenant LLM platform, start by mapping where KV-cache, prompts, and logs cross tenant or security-domain boundaries. Then build a minimal red-team harness to probe for KV-cache leakage and prompt bleeding—before attackers or customers find it in production.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>🚨 \u003Cstrong>Absolute length discipline\u003C\u002Fstrong>\u003Cbr>\nDesigning for isolation, testing for leaks, and treating caching as critical infrastructure transforms “mysterious” AI failures into bounded engineering problems that IT\u002FDevOps, data science, and ML teams can systematically detect, mitigate, and govern over time.\u003C\u002Fp>\n","From Product Darling to Incident Report: What Happened\n\nLovable Vibe was a “lovable” AI coding assistant inside IDE-like workflows.  \nIt powered:\n\n- Autocomplete, refactors, code reviews  \n- Chat over...","hallucinations",[],2126,11,"2026-04-23T22:12:17.628Z",[17,22,26,30,34,38,42,46,50],{"title":18,"url":19,"summary":20,"type":21},"DeepTeam - Un framework red teaming pour sécuriser vos LLM","https:\u002F\u002Fkorben.info\u002Fdeepteam-framework-red-teaming-llm-securite-ia.html","DeepTeam est un framework open-source qui automatise le red teaming des LLM : il teste 40+ vulnérabilités (injection, jailbreaking, biais, fuites PII) avec 10+ techniques d'attaque, en local, sans env...","kb",{"title":23,"url":24,"summary":25,"type":21},"Sécurité des LLM et - Guide Pratique Cybersecurite","https:\u002F\u002Fayinedjimi-consultants.fr\u002Farticles\u002Fsecurite-llm-agents-guide-pratique","Les modèles de langage (LLM) et leurs agents constituent une nouvelle surface d’attaque. Ils peuvent être détournés par prompt injection, fuite de don.\n\nRésumé exécutif\nLes modèles de langage (LLM) et...",{"title":27,"url":28,"summary":29,"type":21},"Fuite de données LLM : Prévenir l'exposition à la sécurité de l'IA","https:\u002F\u002Fwww.mimecast.com\u002Ffr\u002Fcontent\u002Fllm-data-leakage-prevention\u002F","La fuite de données LLM est apparue comme l'un des risques déterminants de l'ère de l'IA générative. À mesure que les organisations intègrent des outils d'IA dans les flux de travail quotidiens, la fr...",{"title":31,"url":32,"summary":33,"type":21},"Sécuriser un Pipeline MLOps : Bonnes Pratiques et 2026","https:\u002F\u002Fayinedjimi-consultants.fr\u002Fstatic\u002Fpdf\u002Fia-securiser-pipeline-mlops.pdf","Catégorie : Intelligence Artificielle Lecture : 24 min Publié le : 13\u002F02\u002F2026 Auteur : Ayi NEDJIMI \n\nGuide complet sur la sécurisation des pipelines MLOps : menaces sur les données d'entraînement, emp...",{"title":35,"url":36,"summary":37,"type":21},"Un pare-feu ne suffit pas à protéger une conversation : Comment le red-teaming de l'IA est devenu indispensable","https:\u002F\u002Fwww.f5.com\u002Ffr_fr\u002Fcompany\u002Fblog\u002Fhow-ai-red-teaming-became-mission-critical","L'explosion de l'utilisation de l'IA depuis 2020 est sans précédent. En matière d'adoption, l'IA progresse plus vite que le cloud, plus vite que le mobile et certainement plus vite qu'Internet ne l'a ...",{"title":39,"url":40,"summary":41,"type":21},"Efficient KV-Cache Prompt Leakage","https:\u002F\u002Fwww.promptfoo.dev\u002Flm-security-db\u002Fvuln\u002Fefficient-kv-cache-prompt-leakage-2d909463","Description: A vulnerability in multi-tenant LLM serving frameworks allows attackers to reconstruct the private prompts of other users via an active Key-Value (KV) cache side-channel. Frameworks that ...",{"title":43,"url":44,"summary":45,"type":21},"I Know What You Asked: Prompt Leakage via KV-Cache Sharing in Multi-Tenant LLM Serving","https:\u002F\u002Fwww.ndss-symposium.org\u002Fwp-content\u002Fuploads\u002F2025-1772-paper.pdf","Guanlong Wu \n\nSUSTech santiscowgl@gmail.com \n\nZheng Zhang \n\nByteDance Inc. 2hang2heng@buaa.edu.cn \n\nYao Zhang \n\nByteDance Inc. zhangyao.crypto@bytedance.com \n\nWeili Wang \n\nSUSTech 12032870@mail.sustec...",{"title":47,"url":48,"summary":49,"type":21},"Shadow in the Cache: Unveiling and Mitigating Privacy Risks of KV-cache in LLM Inference","https:\u002F\u002Fwww.ndss-symposium.org\u002Fwp-content\u002Fuploads\u002F2026-f258-paper.pdf","Zhifan Luo 1, Shuo Shao 1, Su Zhang 2, Lijing Zhou 2, Yuke Hu 1,* , Chenxu Zhao 1, Zhihao Liu 1, Zhan Qin 1,3,* \n\n1 State Key Laboratory of Blockchain and Data Security, Zhejiang University\n2 Huawei T...",{"title":51,"url":52,"summary":53,"type":21},"NDSS 2025 - I Know What You Asked: Prompt Leakage via KV-Cache Sharing in Multi-Tenant LLM Serving","https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=4TXYdFv8NdQ","NDSS 2025 - I Know What You Asked: Prompt Leakage via KV-Cache Sharing in Multi-Tenant LLM Serving\n\nNDSS Symposium 311 views 10 months ago\n\nNDSS 2025 - I Know What You Asked: Prompt Leakage via KV-Cac...",{"totalSources":55},9,{"generationDuration":57,"kbQueriesCount":55,"confidenceScore":58,"sourcesCount":55},304469,100,{"metaTitle":60,"metaDescription":61},"Lovable Vibe: Fix Multi-Tenant KV-Cache Leaks Fast","48-day cross-tenant AI prompt leak revealed Lovable Vibe KV-cache isolation failure risking code and PII — read to get the concise 3-step fix now.","en","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1771942202908-6ce86ef73701?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxsb3ZhYmxlJTIwdmliZSUyMGNvZGluZyUyMHBsYXRmb3JtfGVufDF8MHx8fDE3NzY5OTk3MTB8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60",{"photographerName":65,"photographerUrl":66,"unsplashUrl":67},"Bharath Kumar","https:\u002F\u002Funsplash.com\u002F@bharath9110?utm_source=coreprose&utm_medium=referral","https:\u002F\u002Funsplash.com\u002Fphotos\u002Ftabs-labeled-vibe-coding-with-code-on-bottom-8IoNCI3K0AQ?utm_source=coreprose&utm_medium=referral",false,{"key":70,"name":71,"nameEn":71},"ai-engineering","AI Engineering & LLM Ops",[73,75,77,79],{"text":74},"The Lovable Vibe incident exposed prompts, partial code, and chat histories across tenants for 48 days due to a shared multi-tenant KV-cache that lacked tenant-scoped keys.",{"text":76},"PromptPeek-style attacks exploiting TTFT and batch ordering can reconstruct victim prompts by probing shared KV state; these techniques are effective enough to recover meaningful secrets and code snippets in practice.",{"text":78},"Per-tenant KV namespaces, KV obfuscation (e.g., KV-Cloak), and strict scheduling keyed by \u003Ctenant, project, session, prefix> are mandatory mitigations; global shared caches are unacceptable for security-sensitive customers.",{"text":80},"More than 65% of organizations running ML in production lack ML-specific security strategies, so automated red-teaming, MLSecOps controls, and continuous CI\u002FCD testing must become standard to avoid multi-tenant trust failures.",[82,85,88],{"question":83,"answer":84},"What exactly caused the 48-day exposure?","The exposure was caused by a logical isolation failure in the LLM serving layer where a performance optimization—an unscoped, globally shared KV-cache combined with scheduler behaviors like Longest Prefix Match—allowed KV states from one tenant to be reused for others. In practice, the cache was keyed only on token prefixes rather than a composite key that included tenant_id, project_id, and session_id, which enabled cross-tenant reuse and latency- or ordering-based inference (e.g., TTFT differentials) to reconstruct prompts; this is a distinct class of flaw that stems from model intermediate state reuse and scheduler design rather than a traditional database breach, and it allowed attackers to infer or directly recover sensitive code, PII, and credentials over an extended window before detection.",{"question":86,"answer":87},"How should engineering teams mitigate KV-cache side channels now?","The primary fix is to treat KV-caches as security-critical infrastructure and scope every cache entry by a composite namespace—hash(tenant_id, project_id, session_id, prefix_tokens)—so no KV-state is shared across mutually untrusted tenants; secondary mitigations include per-domain cache partitioning for high-sensitivity tenants, reversible KV obfuscation (KV-Cloak) to degrade reconstruction quality, and disabling risky scheduling optimizations like global Longest Prefix Match when tenant isolation cannot be guaranteed. Teams must also layer prompt filtering\u002Fredaction, client- and server-side secret detection, RBAC and tamper-evident audit trails around serving components, and continuous automated red-teaming (including PromptPeek-style probes) integrated into CI\u002FCD to detect residual side channels before they reach production.",{"question":89,"answer":90},"What should incident response and governance look like after a cross-tenant prompt leak?","Immediate incident response must freeze or re-scope shared caches to strict per-tenant boundaries, disable implicated optimizations, rotate potentially exposed secrets, and snapshot logs\u002Fmetrics for forensics while minimizing further exposure; communication should be precise about duration (e.g., 48 days), affected components (KV-cache), and data types at risk, with clear remediation timelines. Longer-term governance requires updating threat models to include KV-cache and embedding side channels, adding MLSecOps ownership for serving\u002Fcaching layers, mandating per-tenant namespaces and obfuscation controls, integrating automated LLM red-team tests into CI\u002FCD, and documenting incident playbooks and audit trails so that future leaks are smaller, faster to detect, and better contained.",[92,98,102,107,112,117,121,125,129,133,136,140,143,146,149],{"id":93,"name":94,"type":95,"confidence":96,"wikipediaUrl":97},"69d08f194eea09eba3dfd055","prompt injection","concept",0.95,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPrompt_injection",{"id":99,"name":100,"type":95,"confidence":96,"wikipediaUrl":101},"69ea9979e1ca17caac37322e","PII","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPII",{"id":103,"name":104,"type":95,"confidence":105,"wikipediaUrl":106},"69ea9978e1ca17caac373227","Longest Prefix Match",0.85,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLongest_prefix_match",{"id":108,"name":109,"type":95,"confidence":110,"wikipediaUrl":111},"69ea9978e1ca17caac373225","PromptPeek-style attack",0.93,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAftermath_of_the_September_11_attacks",{"id":113,"name":114,"type":95,"confidence":115,"wikipediaUrl":116},"69ea9978e1ca17caac373226","TTFT",0.88,null,{"id":118,"name":119,"type":95,"confidence":120,"wikipediaUrl":116},"69ea9977e1ca17caac373222","LLM",0.96,{"id":122,"name":123,"type":95,"confidence":124,"wikipediaUrl":116},"69ea9978e1ca17caac373228","model inversion",0.9,{"id":126,"name":127,"type":95,"confidence":128,"wikipediaUrl":116},"69ea997ae1ca17caac373231","per-tenant KV namespaces",0.94,{"id":130,"name":131,"type":95,"confidence":132,"wikipediaUrl":116},"69ea9977e1ca17caac373221","multi-tenant KV-cache",0.98,{"id":134,"name":135,"type":95,"confidence":124,"wikipediaUrl":116},"69ea997ae1ca17caac373230","embeddings",{"id":137,"name":138,"type":139,"confidence":124,"wikipediaUrl":116},"69ea9979e1ca17caac373229","tenants","other",{"id":141,"name":142,"type":139,"confidence":124,"wikipediaUrl":116},"69ea9979e1ca17caac37322a","malicious tenant",{"id":144,"name":145,"type":139,"confidence":124,"wikipediaUrl":116},"69ea9979e1ca17caac37322b","curious insider",{"id":147,"name":148,"type":139,"confidence":96,"wikipediaUrl":116},"69ea997ae1ca17caac37322f","API keys and secrets",{"id":150,"name":151,"type":139,"confidence":115,"wikipediaUrl":116},"69ea9979e1ca17caac37322c","opportunistic attacker",[153,161,168,175],{"id":154,"title":155,"slug":156,"excerpt":157,"category":158,"featuredImage":159,"publishedAt":160},"69ec35c9e96ba002c5b857b0","Anthropic Claude Code npm Source Map Leak: When Packaging Turns into a Security Incident","anthropic-claude-code-npm-source-map-leak-when-packaging-turns-into-a-security-incident","When an AI coding tool’s minified JavaScript quietly ships its full TypeScript via npm source maps, it is not just leaking “how the product works.”  \n\nIt can expose:\n\n- Model orchestration logic  \n- A...","security","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1770278856325-e313d121ea16?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxNnx8Y3liZXJzZWN1cml0eSUyMHRlY2hub2xvZ3l8ZW58MXwwfHx8MTc3NzA4ODMyMXww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-04-25T03:38:40.358Z",{"id":162,"title":163,"slug":164,"excerpt":165,"category":11,"featuredImage":166,"publishedAt":167},"69ea7a6f29f0ff272d10c43b","Anthropic Mythos AI: Inside the ‘Too Dangerous’ Cybersecurity Model and What Engineers Must Do Next","anthropic-mythos-ai-inside-the-too-dangerous-cybersecurity-model-and-what-engineers-must-do-next","Anthropic’s Mythos is the first mainstream large language model whose creators publicly argued it was “too dangerous” to release, after internal tests showed it could autonomously surface thousands of...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1728547874364-d5a7b7927c5b?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhbnRocm9waWMlMjBteXRob3MlMjBpbnNpZGUlMjB0b298ZW58MXwwfHx8MTc3Njk3NjU3Nnww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-04-23T20:09:25.832Z",{"id":169,"title":170,"slug":171,"excerpt":172,"category":158,"featuredImage":173,"publishedAt":174},"69e7765e022f77d5bbacf5ad","Vercel Breached via Context AI OAuth Supply Chain Attack: A Post‑Mortem for AI Engineering Teams","vercel-breached-via-context-ai-oauth-supply-chain-attack-a-post-mortem-for-ai-engineering-teams","An over‑privileged Context AI OAuth app quietly siphons Vercel environment variables, exposing customer credentials through a compromised AI integration. This is a realistic convergence of AI supply c...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1564756296543-d61bebcd226a?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHx2ZXJjZWwlMjBicmVhY2hlZCUyMHZpYSUyMGNvbnRleHR8ZW58MXwwfHx8MTc3Njc3NzI1OHww&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-04-21T13:14:17.729Z",{"id":176,"title":177,"slug":178,"excerpt":179,"category":180,"featuredImage":181,"publishedAt":182},"69e75467022f77d5bbacef57","AI in Art Galleries: How Machine Intelligence Is Rewriting Curation, Audiences, and the Art Market","ai-in-art-galleries-how-machine-intelligence-is-rewriting-curation-audiences-and-the-art-market","Artificial intelligence has shifted from spectacle to infrastructure in galleries—powering recommendations, captions, forecasting, and experimental pricing.[1][4]  \n\nFor technical teams and leadership...","safety","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1712084829562-ad19a4ed5702?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhcnQlMjBnYWxsZXJpZXMlMjBtYWNoaW5lJTIwaW50ZWxsaWdlbmNlfGVufDF8MHx8fDE3NzY3NjgzOTR8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-04-21T10:46:33.702Z",["Island",184],{"key":185,"params":186,"result":188},"ArticleBody_xdRtxtWN9H4KBpcl6TNOTs3yCaIZ0QYRpifk3phELw",{"props":187},"{\"articleId\":\"69ea97b44d7939ebf3b76ac6\",\"linkColor\":\"red\"}",{"head":189},{}]