Back in January, I wrote about the vibe coding hangover. The morning-after feeling of shipping fast with AI, then realizing nobody actually understands the codebase anymore, least of all the person who "wrote" it.
I thought that was the scary part.
I was wrong. The scary part is what happens after the hangover, when that half-understood codebase goes to production and someone starts poking at it. Turns out a lot of people are poking at it. And they are finding a lot.
Let's talk about vibe coding security, because right now it is less of a trend and more of a slow-motion car crash that everyone can see coming and nobody wants to be the one to say it out loud. I will say it. Buckle up.
The number that should ruin your week
DryRun Security ran a study where AI coding agents built real applications end to end. Not toy demos, actual working software: an allergy tracker, a few other production style apps. Then they audited the pull requests.
Twenty six out of thirty pull requests had at least one vulnerability. That is 87 percent. Your AI assistant is apparently better at shipping features than it is at not leaving the door unlocked behind it.
And it is not a fluke number. Veracode's GenAI Code Security Report found that 45 percent of AI generated code samples contain at least one OWASP Top 10 vulnerability when nobody reviews it by hand. A live GitHub discussion thread where developers have been swapping war stories all year (still going, still spicy) backs this up with real numbers from real teams: 45 percent of AI generated code shipping with OWASP Top 10 issues, and Java code failing at a brutal 72 percent rate. Java really cannot catch a break.
Here is the part that should actually worry you: this is not slowing down. Researchers tracking CVEs tied directly to AI coding tools found 35 new ones in a single month, March 2026, and they think the real number is five to ten times higher than what gets officially logged. Most of this stuff is quietly living in production right now, not making headlines, just sitting there.
Why your AI keeps doing this
It is not that the model is bad at coding. It is that the model was never asked to think like an attacker. When you prompt "build me a login flow," you get a login flow. You did not ask for rate limiting, you did not ask for proper session invalidation, and you definitely did not ask it to check whether a logged in user actually owns the resource they are requesting. So it does not do those things. It gives you what you asked for, literally, the way a very fast, very confident intern would.
A few patterns show up over and over:
Broken access control. The AI checks if you are logged in. It does not check if you are allowed to see this specific thing. That is the OWASP number one risk for a reason, and vibe coding makes it worse because every prompt produces a slightly different, slightly inconsistent implementation of "who can see what."
Secrets in the open. You paste your Stripe key into a prompt so the model has context. The model dutifully writes that key straight into the code it hands back. You ship it. Now it is sitting in your git history forever, findable, screenshotable, and yours to explain to your CTO. Over 23 million secrets leaked on public GitHub in a single recent year, and AI generated code is a growing chunk of that.
Hallucinated dependencies, also known as slopsquatting. This one is genuinely funny in a horrifying way. The model invents a package name that sounds plausible. It does not exist yet. Someone registers that exact name on npm or PyPI and fills it with malware. Every agent that reads the AI's original suggestion later installs the attacker's package instead. This actually happened with a fake package called react-codeshift, which spread into 237 repositories through AI generated skill files before anyone caught it. Nobody meant for it to happen. That is exactly the problem.
Agent sprawl with no adult supervision. OpenClaw, one of the most popular open source agent frameworks, picked up over 250,000 GitHub stars in about two months. A Snyk audit of nearly 4,000 skills built for it found more than a third had at least one security issue, including dozens of confirmed malicious payloads. Fast adoption plus zero governance is exactly the recipe you would design if you wanted a supply chain attack.
The developers living through this, in their own words
There is a GitHub discussion thread that has quietly become the support group nobody asked to join. Developers trading stories about .env leaks, agents that loop out of control and burn through API credits, and the genuinely hard problem of figuring out who is responsible when three different people and an agent all touched the same file with shared credentials. It reads less like a bug tracker and more like group therapy with syntax highlighting.
The overall vibe, pun fully intended, is: AI is still the biggest productivity jump this industry has had in years. Nobody is going back. But the security tax is real, and most teams are paying it after the fact instead of building it in from the start.
What actually works right now
This is not a "throw your hands up and go back to writing everything by hand" article. Nobody is doing that, and honestly they should not. Here is what teams dealing with this well are actually doing.
Treat the AI like a fast, overconfident junior developer. Not a senior engineer, not an oracle. A junior who writes clean looking code with total confidence and needs every pull request reviewed like it might be wrong, because statistically, it might be.
Scan everything, automatically, every time. Multi engine scanning in your CI pipeline (think Semgrep, Bandit, Gitleaks, Trivy running together) catches a lot of what a rushed human review misses. This is not optional anymore, it is table stakes.
Get secrets out of prompts entirely. Use a real secrets manager with runtime injection. Never paste a live API key into a chat window, even for context. If you have already done this, and be honest, you probably have, rotate that key today.
Pin your dependencies and verify before you install. If an AI suggests a package you have never heard of, look it up before it gets anywhere near your lockfile. Slopsquatting only works because we trust the suggestion by default.
Give agents scoped, ephemeral credentials, not your whole environment. An agent that can do everything is an agent that can break everything, on purpose or otherwise. Least privilege was good advice before AI agents existed and it is even better advice now.
The gap that matters
The tools got faster. The judgment did not automatically get faster with them. That gap, between how quickly we can generate code and how slowly the industry is learning to secure it, is where the next few years of security work are going to happen. It is worth paying attention to now, before it becomes someone's incident report.
Top comments (1)
Thank you for sharing such an excellent post. I really enjoyed reading it.
I’m a Python Full-Stack Engineer with over 10 years of experience designing and building scalable software solutions for clients across a variety of industries. Along the way, I’ve learned that successful projects depend not only on strong technical execution but also on creating real business value.
With my recent contract completed, I’m exploring new opportunities to collaborate with professionals who value innovation, practical problem-solving, and long-term partnerships. I enjoy discussing ideas that combine technical excellence with sound business strategy, creating outcomes that benefit everyone involved.
I believe every connection has the potential to become something meaningful. If you're interested in exchanging ideas, exploring opportunities, or simply connecting with someone who enjoys building impactful technology, I'd be happy to hear from you.
Wishing you success in your future endeavors, and I look forward to connecting.