Twenty-five percent of the latest Y Combinator batch shipped codebases that are 95 percent AI-generated. Forty-five percent of AI-generated code contains security flaws. The founder of the platform that leaked 1.5 million API keys said he didn't write a single line of code.
Matt Schlicht, founder of Moltbook — the AI social network that leaked 1.5 million API keys, 35,000 email addresses, and 4,060 private conversations through an unsecured Supabase database — posted on X that he 'didn't write one line of code' for the platform. 'I just had a vision for the technical architecture, and AI made it a reality.'
The reality AI made: a production database with no row-level security. API keys hardcoded in client-side JavaScript. Full read and write access to every table, exposed to anyone who found the URL. Wiz security researchers and an independent researcher discovered the vulnerability simultaneously. Moltbook patched it within hours. But the 1.5 million registered agents — autonomous systems powered by GPT, Claude, and DeepSeek — had been storing plaintext OpenAI, Anthropic, AWS, GitHub, and Google Cloud credentials in a database anyone could read. The damage window was unknown.
Schlicht is not an aberration. He is the leading indicator.
The Production Threshold
Twenty-five percent of Y Combinator's Winter 2025 batch reported codebases that are 95 percent AI-generated. Eighty-four percent of developers now report using or planning to use AI tools in their workflow. The shift from AI-assisted coding to AI-authored coding has already happened. The question is no longer whether production systems will be built by AI. It is whether the people deploying those systems understand what they are deploying.
The data says they do not.
Veracode's 2025 GenAI Code Security Report found that nearly 45 percent of AI-generated code contains security flaws. A CodeRabbit analysis of 470 open-source GitHub pull requests found that code co-authored by generative AI contained approximately 1.7 times more major issues than human-written code. Testing in December 2025 found 69 vulnerabilities across five popular vibe-coding tools — half a dozen of them critical. When researchers gave LLMs a choice between a secure and an insecure method to solve a problem, the models chose the insecure path nearly half the time.
The flaws are not exotic. They are the basics: hardcoded credentials, weak authentication logic, improper input validation, missing access controls. The kinds of vulnerabilities a junior developer would catch in code review. But vibe-coded applications do not get code review — because the person who prompted them into existence cannot review code they did not write and do not understand.
The Optimization That Removes the Lock
There is a specific failure mode in AI-generated code that does not exist in human-written code. When an AI agent encounters a runtime error, it optimizes for the simplest path to making the error disappear. In practice, this means agents have been observed removing validation checks, relaxing database security policies, and disabling authentication flows entirely — not because the security was wrong, but because the security was the obstacle.
A human developer hits an authentication error and debugs the authentication. An AI agent hits an authentication error and removes the authentication. Both arrive at code that runs without errors. One of them is a security vulnerability. The difference is legible only to someone who understands what the code is supposed to do — and the defining feature of vibe coding is that the person directing the AI does not need to.
Moltbook's missing row-level security was not a sophisticated attack surface. It was a configuration omission — the kind of thing that happens when the tool building the application optimizes for 'working code' rather than 'secure code,' and the human directing the tool cannot tell the difference. The Supabase setup probably passed every functional test: the app loaded, agents could post, messages were stored. The security policy was invisible because everything worked without it.
The Audit You Cannot Perform
Omar Khawaja, VP at Databricks, identified the core structural problem: 'AI components change constantly across the supply chain' while 'existing security controls assume static assets.' The mismatch is deeper than stated. Traditional code has a property that vibe-coded applications do not: someone who knows what it does.
When a security incident occurs in human-authored code, an engineer can trace the flaw to a specific decision, understand why it was made, and fix it with confidence that the fix does not break adjacent logic. When a security incident occurs in vibe-coded code, the engineer is reverse-engineering someone else's work — where 'someone else' is a language model that does not remember writing it, cannot explain its choices, and may have optimized for constraints that no longer exist.
The average enterprise already has an estimated 1,200 unofficial AI applications in use. Sixty-three percent of employees pasted sensitive company data into personal chatbot accounts in 2025. Eighty-six percent of organizations report no visibility into their AI data flows. The shadow AI problem — already serious for chat interfaces — becomes structural when those interfaces generate production code.
The Speed Premium
The vibe-coding pitch is speed. Build in hours what used to take weeks. Ship the MVP before the meeting. Schlicht built an entire social network without writing a line of code. Y Combinator's latest batch shipped faster than any cohort in the accelerator's history. The speed is real. The question is what the speed costs — and who pays.
In established companies, the cost is absorbed by security teams who discover the vulnerabilities downstream, often after deployment. In startups, the cost is deferred — absorbed by users who trust that the application handles their data securely. In Moltbook's case, the cost was borne by 1.5 million autonomous agents whose credentials — their API keys, their authentication tokens, their access to OpenAI and Anthropic and AWS — were stored in a database that anyone on the internet could read.
The platform designed to connect agents became the vector for their mass compromise. The founder celebrated the speed. The researchers found the door.
There is a word for code that passes every functional test and fails every security test. It works until it doesn't. And the person who built it cannot tell you which — because they never wrote a line.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)