In git we trust: Defending Lovable projects from malicious code attacks at scale
Marcus, Samuel
fwd:cloudsec North America 2026 · Day 1
This talk, "In git we trust: Defending Lovable projects from malicious code attacks at scale," delivered by Samuel, a Security Engineer, and Marcus from Lovable, delves into a sophisticated, large-scale malicious code injection campaign targeting users of the Lovable platform. Lovable, which empowers over 600,000 customers to create more than 58 million full-stack web applications using an AI agent, faced a persistent threat actor employing advanced social engineering and novel technical obfuscation techniques to compromise user projects.
AI review
A genuine incident retrospective with real technical meat: blockchain-based C2, polymorphic JS loaders using seeded Fisher-Yates shuffles to defeat hash detection, and a credible account of hunting 100B lines of code at scale. The speakers are presenting their own work on a real campaign they lived through, and the novel C2 mechanism alone earns serious attention.