Vibe Coding Has a Security Problem Nobody Wants to Talk About

Andrej Karpathy coined "vibe coding" in February 2025. Stop reading diffs. Accept all changes. Copy-paste error messages. Let the AI handle it. "I just see stuff, say stuff, run stuff, and it mostly works." 4.5 million people watched that tweet. A movement was born. A year later, we have data on what happens when millions of developers take that advice. The Numbers Are Bad Veracode tested over 100 large language models across 80 coding tasks. Result: 45% of AI-generated code contains OWASP Top-10 vulnerabilities. Two years of model improvements haven't moved that number. Models get better at writing code that compiles — not at writing code that's safe. Java hit a 70% failure rate. Python, C#, and JavaScript ranged from 38% to 45%. Cross-site scripting defenses failed 86% of the time. Log injection, 88%. A December 2025 paper from the University of Virginia sharpened the picture. Researchers tested coding agents on 200 real-world feature requests — tasks pulled from open-source projects

Vibe Coding Has a Security Problem Nobody Wants to Talk About

Related Articles

OpenClaw Agents Can Be Guilt-Tripped Into Self-Sabotage

Jury finds Meta and YouTube negligent in landmark social media addiction trial

Sony's latest headphones are the only ones I'd splurge on (and they're on sale)

Jon Gjengset: The Cost of Concurrency Coordination

The Comedy Club at the End of the Metaverse

Related Articles

News
OpenClaw Agents Can Be Guilt-Tripped Into Self-Sabotage
Wired • 6d ago

News
Jury finds Meta and YouTube negligent in landmark social media addiction trial
TechCrunch • 6d ago

News
Sony's latest headphones are the only ones I'd splurge on (and they're on sale)
ZDNet • 6d ago

News
Jon Gjengset: The Cost of Concurrency Coordination
Lobsters • 6d ago

News
The Comedy Club at the End of the Metaverse
Wired • 6d ago