Core Viewpoint - The article highlights a significant vulnerability in the MCP protocol, which is widely used in the AI industry, allowing attackers to exploit LLM's instruction/data confusion to access databases directly [1][3]. Group 1: Vulnerability Details - The MCP protocol has become a standard in the agent field, effectively connecting large language models with various tool services, but it is susceptible to malicious instructions hidden within user data [3][5]. - Researchers demonstrated the security risks of LLMs by building a multi-tenant customer service SaaS system using Supabase, which includes a database, authentication, and file storage [5][21]. - The attack utilized default configurations, including standard service roles and row-level security (RLS), without any additional protective measures [6][21]. Group 2: Attack Process - The attacker submitted a technical support request with a message that disguised malicious instructions, which were processed normally by the system [9][10]. - When developers later accessed unresolved tickets, they inadvertently executed embedded instructions within the attacker's message, leading to unauthorized data access [12][13]. - The system generated SQL queries that bypassed RLS restrictions, allowing sensitive data to be displayed in the conversation thread [15][17]. Group 3: Risk Mitigation Measures - The article suggests two primary measures to reduce exposure to such attacks: using read-only modes to prevent unauthorized data manipulation and implementing prompt injection filters to intercept and manage high-risk inputs [22][23]. - These measures aim to create a first line of defense against potential exploitation, especially for teams using third-party IDEs where context boundaries are unclear [23].

Core Insights - The article discusses the rise of Vibe Coding, a new AI-driven programming model that allows developers to focus on product innovation and user experience rather than being constrained by programming languages, with AI generating executable code from natural language inputs [2][3]. Group 1: Supabase Overview - Supabase, founded in 2020, is an open-source alternative to Google Firebase, providing backend services such as database management, authentication, and real-time capabilities, which significantly reduce the complexity and time required for backend development [3][6]. - The platform has gained substantial traction, with over 170,000 developers in its community and more than 80,000 stars on GitHub, indicating its popularity and utility among developers [6][12]. Group 2: Key Features of Supabase - Supabase offers a PostgreSQL-based database that provides stable data storage and built-in authentication for precise user access control [3]. - The platform simplifies the login process through social account integration, allowing developers to quickly establish multi-channel authentication systems [4]. - Supabase automates backend resource management, enabling startups to reduce labor costs and accelerate product launches without the need for extensive code rewrites [4]. - It includes a storage solution that integrates seamlessly with its authentication and database services, allowing for secure and efficient content management [4]. - The real-time data synchronization feature supports collaborative tools and applications, ensuring consistent user experiences across multiple devices [4]. Group 3: Funding and Growth - Supabase completed a $200 million Series D funding round in April 2025, achieving a post-money valuation of approximately $2 billion, with participation from notable investors such as Accel and Coatue [6][13]. - Prior to this, Supabase raised $80 million in a Series C round in September 2024, reflecting a rapid increase in valuation from an estimated $900 million to $2 billion within seven months [13]. - The growth in funding and valuation highlights the company's rapid development in the open-source and AI programming sectors, driven by a growing developer community [13].

Core Insights - The article discusses the concept of "Vibe Coding," which allows individuals to create applications quickly using AI tools like Cursor and ChatGPT, even without programming knowledge [1] - It highlights the security vulnerabilities that can arise from this rapid development approach, illustrated by the experience of developer Harley Kimball, who faced two security breaches shortly after launching his application [1][10] Group 1: Vibe Coding and Application Development - "Vibe Coding" enables users to express ideas and have AI generate code, attracting many developers to experiment with this method [1] - Harley Kimball developed an application that aggregates public profiles of security researchers from various platforms, aiming to create a "directory" for the bug bounty community [2] Group 2: Security Vulnerabilities Encountered - The first security breach involved the exposure of user email addresses due to improper data handling, which led to unauthorized access to the database [5][6] - The second breach occurred because the backend authentication service remained active, allowing attackers to register accounts and manipulate data despite the absence of a front-end registration option [8][9] Group 3: Lessons Learned - The experience underscores the importance of not neglecting security configurations when using low-code or AI tools for development, as rapid deployment can lead to significant vulnerabilities [10] - Developers must understand the complexities of permission models in tools like Supabase and PostgreSQL, particularly regarding database views and row-level security [10][11] - It is crucial to fully disable registration features in the backend if not in use, as merely hiding them in the front end is insufficient to prevent unauthorized access [11]

Core Insights - Supabase has successfully positioned itself at the forefront of the "Vibe Coding" trend, completing a $200 million Series D funding round with a post-money valuation of $2 billion, reflecting its rapid growth and the increasing importance of open-source databases in the AI application era [1][22]. Group 1: Supabase's Growth and Funding - Supabase raised $200 million in its Series D funding round, led by Accel, with participation from Coatue, Y Combinator, Craft Ventures, and existing investors, bringing its total funding to nearly $400 million [1]. - The company has seen a significant increase in its valuation, reaching $2 billion just seven months after its previous funding round of $80 million [1]. - Supabase's user base has expanded to over 2 million developers, managing 3.5 million databases, and its GitHub repository has surpassed 81,000 stars, doubling in just two years [17]. Group 2: Vibe Coding and Development Workflow - The "Vibe Coding" workflow emphasizes rapid completion of the entire development process using various AI tools, from product documentation to database design and service implementation [2][5]. - Developers utilize generative AI tools to draft product requirement documents and generate database schemas, facilitating the creation of initial data models [4]. - The integration of Supabase with tools like Lovable and Bolt.new allows users to deploy full-stack applications without server setup, enhancing the development experience [5][8]. Group 3: AI Integration and Features - Supabase has integrated PGVector to support embedding storage, crucial for building retrieval-augmented generation (RAG) applications and other AI-related tasks [11]. - The company launched its AI assistant, which can automatically generate database schemas and fill in sample data, significantly aiding non-developers in backend prototype development [13]. - Recent developments include the launch of an official MCP server, enabling developers to connect popular AI tools directly to Supabase for various database management tasks [14]. Group 4: Competitive Positioning and Future Outlook - Supabase's open-source model and reliance on PostgreSQL differentiate it from other backend-as-a-service (BaaS) platforms like Firebase, which lock users into their ecosystems [22]. - The company aims to become the default backend for AI and enterprise applications, leveraging its funding to accelerate the adoption of "Vibe Coding" tools and large-scale deployments [22]. - Accel partners believe Supabase has the potential to dominate the high-value database sector, drawing comparisons to the rise of Oracle and MongoDB [22].

图片来源： Scale AI 2020 年，开源数据库 Supabase 成⽴时，其新西兰籍⾸席执⾏官 Paul Copplestone 未曾料到，公司会精准踩中 2025 年最⼤趋势Vibe Coding的⻛⼝。 根据财富报道，这家初创公司于4⽉末成果显现， 公司宣布完成由 Accel 领投的 2 亿美元 D 轮融资，投后估值达 20 亿美元，Coatue、Y Combinator、 Craft Ventures 及⻓期投资者 Felicis 参与本轮投资。 此次新获 2 亿美元融资，距离 Supabase 宣布由 Peak XV（红杉分拆机构）和 David Sacks 的 Craft Ventures 领投 8000 万美元仅七个⽉。当时公司未对估值 置评，但 PitchBook 数据显⽰约为 9 亿美元。 参考资料 ⾄此，这家初创公司总融资额已达约 3.98 亿美元。 Supabase 再次证明了开源项⽬在商业上的巨⼤成功潜⼒。它提供了 Firebase 的开源版本，这是⾕歌的 数据库 AI 应⽤开发平台，并以每⽉最⾼ 600 美元的价格托管应⽤，企业⽤⼾费⽤更⾼。 Supabase 将开源 SQL ...