Lovable, a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages.
“As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly with every scammer’s wishlist,” Guardio Labs’ Nati Tal said in a report shared with The Hacker News. “From pixel-perfect scam pages to live hosting, evasion techniques, and even admin dashboards to track stolen data — Lovable didn’t just participate, it performed. No guardrails, no hesitation.”
The technique has been codenamed VibeScamming – a play on the term vibe coding, which refers to an AI-dependent programming technique to produce software by describing the problem statement in a few sentences as a prompt to a large language model (LLM) tuned for coding.
The abuse of LLMs and AI chatbots for malicious purposes is not a new phenomenon. In recent weeks, research has shown how threat actors are abusing popular tools like OpenAI ChatGPT and Google Gemini to assist with malware development, research, and content creation.
What’s more, LLMs like DeepSeek have also been found susceptible to prompt attacks and jailbreaking techniques like Bad Likert Judge, Crescendo, and Deceptive Delight that allow the models to bypass safety and ethical guardrails and generate other prohibited content. This includes creating phishing emails, keylogger and ransomware samples, albeit with additional prompting and debugging.
In a report published last month, Broadcom-owned Symantec revealed how OpenAI’s Operator, an AI agent that can carry out web-based actions on behalf of the user, could be weaponized to automate the whole process of finding email addresses of specific people, creating PowerShell scripts that can gather system information, stashing them in Google Drive, and drafting and sending phishing emails to those individuals and trick them into executing the script.
The rising popularity of AI tools also means that they could significantly reduce the barriers to entry for attackers, enabling them to harness their coding capabilities to craft functional malware with little-to-no technical expertise of their own
A case in example is a new jailbreaking approach dubbed Immersive World that makes it possible to create an information stealer capable of harvesting credentials and other sensitive data stored in a Google Chrome browser. The technique “uses narrative engineering to bypass LLM security controls” by creating a detailed fictional world and assigning roles with specific rules so as to get around the restricted operations.
Guardio Labs’ latest analysis takes a step further, uncovering that platforms like Lovable and Anthropic Claude, to a lesser extent, could be weaponized to generate complete scam campaigns, complete with SMS text message templates, Twilio-based SMS delivery of the fake links, content obfuscation, defense evasion, and Telegram integration.
VibeScamming begins with a direct prompt asking the AI tool to automate each step of the attack cycle, assessing its initial response, and then adopting a multi-prompt approach to gently steer the LLM model to generate the intended malicious response. Called “level up,” this phase involves enhancing the phishing page, refining delivery methods, and increasing the legitimacy of the scam.
Lovable, per Guardio, has been found to not only produce a convincing looking login page mimicking the real Microsoft sign-in page, but also auto-deploys the page on a URL hosted on its own subdomain (“i.e., *.lovable.app”) and redirects to office[.]com after credential theft.
On top of that, both Claude and Lovable appear to comply with prompts seeking help to avoid the scam pages from being flagged by security solutions, as well as exfiltrate the stolen credentials to external services like Firebase, RequestBin, and JSONBin, or private Telegram channel.
“What’s more alarming is not just the graphical similarity but also the user experience,” Tal said. “It mimics the real thing so well that it’s arguably smoother than the actual Microsoft login flow. This demonstrates the raw power of task-focused AI agents and how, without strict hardening, they can unknowingly become tools for abuse.”
“Not only did it generate the scampage with full credential storage, but it also gifted us a fully functional admin dashboard to review all captured data – credentials, IP addresses, timestamps, and full plaintext passwords.”
In conjunction with the findings, Guardio has also released the first version of what’s called the VibeScamming Benchmark to put the generative AI models through the wringer and test their resilience against potential abuse in phishing workflows. While ChaGPT scored an 8 out of 10, Claude scored 4.3, and Lovable scored 1.8, indicating high exploitability.
“ChatGPT, while arguably the most advanced general-purpose model, also turned out to be the most cautious one,” Tal said. “Claude, by contrast, started with solid pushback but proved easily persuadable. Once prompted with ‘ethical’ or ‘security research’ framing, it offered surprisingly robust guidance.”
