TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
 
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
 
Cloud Native Ecosystem Containers Databases Edge Computing Infrastructure as Code Linux Microservices Open Source Networking Storage
Fivetran Brings Data Lake Interoperability to Google Cloud
Apr 10th 2025 6:45am, by Charles Humble
Local or Cloud: Choosing the Right Dev Environment
Apr 9th 2025 4:00pm, by Anita Ihuman
The Open Format Movement Heats Up: Snowflake Embraces Apache Iceberg
Apr 8th 2025 6:00am, by Jelani Harper
Why Cloud Native Infrastructure Is Non-Negotiable for GenAI
Apr 7th 2025 3:00pm, by Debojyoti Dutta
CNCF Reveals New Certifications and Expanded Job Opportunities
Apr 4th 2025 2:00pm, by Steven J. Vaughan-Nichols
Advanced Docker Scout Use Cases: Security Insights, Recommendations, and Remediation 
Apr 13th 2025 10:00am, by Advait Patel
Legacy to Cloud: Accelerate Modernization via Containers
Apr 10th 2025 10:00am, by Bhushan Nemade
The Super Helm Chart: To Deploy or Not To Deploy?
Apr 8th 2025 6:00am, by Utku Darılmaz
Automate Container Security Audits With Docker Scout and Python 
Apr 5th 2025 9:00am, by Advait Patel
Why Docker Scout Is Changing How Developers Scan for Vulnerabilities 
Apr 3rd 2025 11:00am, by Advait Patel
Fivetran Brings Data Lake Interoperability to Google Cloud
Apr 10th 2025 6:45am, by Charles Humble
AI Data Dilemma: Balancing Innovation with Ironclad Governance
Apr 8th 2025 11:00am, by Artin Avanes
Why Use a NoSQL Database for AI? There Are Many Great Reasons
Apr 8th 2025 8:00am, by Tim Rottach
Redis Launches Vector Sets and a New Tool for Semantic Caching of LLM Responses
Apr 8th 2025 7:00am, by Frederic Lardinois
Building Graph-Based RAG Applications Just Got Easier
Apr 4th 2025 9:00am, by Ryan Michael and Nina Lopatina
AI at the Edge: Federated Learning for Greater Performance
Apr 16th 2025 8:00am, by Charles Humble
Should You Care About Fermyon Wasm Functions on Akamai?
Mar 28th 2025 1:00pm, by B. Cameron Gain
Are Edge Computing and Cloud Computing in Competition?
Mar 27th 2025 6:00am, by Meredith Shubel
Edge Data Centers Offer Benefits for Remote Industrial Apps
Mar 26th 2025 8:00am, by Meredith Shubel
AI Is Coming to the Edge, but It Will Look Different
Mar 20th 2025 1:00pm, by Damir Mujezinovic
Tackle IaC Tooling Complexity and Growing Cloud Costs in 2025
Apr 11th 2025 11:00am, by Ido Neeman
IT Leaders Brace for Tariff Fallout on Infrastructure and Cloud Costs
Mar 26th 2025 10:00am, by Krishna Subramanian
How To Select the Best Cloud Model for Your AI Strategy
Mar 25th 2025 1:00pm, by Abu Hassan Peer
Why FinOps Belongs in Your CI/CD Workflow
Mar 25th 2025 5:00am, by Amit Liberman
NixOps Lives On: Introducing NixOps 4
Mar 21st 2025 9:00am, by B. Cameron Gain
Kelsey Hightower on Nix vs. Docker: Is There a Different Way?
Apr 16th 2025 7:00am, by David Cassel
Linux: Five Easy Ways To Secure Any Distribution
Apr 13th 2025 8:00am, by Jack Wallen
Unsure How To Schedule With Cron on Linux? Try One of These GUIs
Apr 12th 2025 6:00am, by Jack Wallen
How To Develop on a Linux Desktop With an Easy-To-Use VM
Apr 10th 2025 6:00am, by Jack Wallen
Rust, Linux and Cloud Native Computing
Apr 7th 2025 8:00am, by Steven J. Vaughan-Nichols
Scale Microservices Testing Without Duplicating Environments
Apr 15th 2025 9:00am, by Arjun Iyer
What Agentic Workflows Mean to Microservices Developers
Apr 3rd 2025 4:00pm, by Janakiram MSV
Sandbox Testing: The DevEx Game-Changer for Microservices
Mar 27th 2025 7:11am, by Arjun Iyer
Testing Microservices: Message Isolation for Kafka, SQS, More
Mar 20th 2025 7:09am, by Arjun Iyer
The Million-Dollar Problem of Slow Microservices Testing
Mar 6th 2025 8:05am, by Arjun Iyer
Harness Kubernetes Costs With OpenCost
Apr 16th 2025 10:00am, by Ram Iyengar
Kelsey Hightower on Nix vs. Docker: Is There a Different Way?
Apr 16th 2025 7:00am, by David Cassel
The Kro Project: Giving Kubernetes Users What They Want
Apr 15th 2025 12:00pm, by Michelle Gienow
OpenSearch: What’s Next for the Search and Analytics Suite?
Apr 10th 2025 9:00am, by Michelle Gienow
Five Years In, Backstage Is Just Getting Started
Apr 7th 2025 2:00pm, by Jennifer Riggins
Dave Taht, Who Sped Up Networks More Than You'll Ever Know, Has Died
Apr 4th 2025 11:00am, by Steven J. Vaughan-Nichols
KubeCon Europe: Kgateway Aims To Be the Kubernetes Onramp
Apr 3rd 2025 7:00am, by Joab Jackson
KubeCon Europe: Aviatrix's Enterprise Firewall for Kubernetes
Mar 24th 2025 5:00am, by Joab Jackson
NVIDIA Unveils Next-Gen Rubin and Feynman Architectures, Pushing AI Power Limits
Mar 19th 2025 3:00pm, by Adrian Cockcroft
2.8 Million Reasons Why You Can’t Trust Your VPN
Mar 17th 2025 9:00am, by Nick Taylor
Fivetran Brings Data Lake Interoperability to Google Cloud
Apr 10th 2025 6:45am, by Charles Humble
The Open Format Movement Heats Up: Snowflake Embraces Apache Iceberg
Apr 8th 2025 6:00am, by Jelani Harper
Don’t Let Storage Slow Down DevOps
Apr 3rd 2025 2:00pm, by Carol Platz
Changed Block Tracking Is Here for Kubernetes Resilience
Mar 24th 2025 8:30am, by Mark Lavi
Real-Time Write Heavy Workloads: Considerations and Tips
Mar 14th 2025 9:00am, by Felipe Cardeneti Mendes and Lubos Kosco
AI AI Engineering API Management Backend development Data Frontend Development Large Language Models Security Software Development WebAssembly
Slopsquatting: The Newest Threat to Your AI-Generated Code
Apr 16th 2025 9:00am, by
AI at the Edge: Federated Learning for Greater Performance
Apr 16th 2025 8:00am, by
Seven Habits of Highly Effective AI Coding
Apr 16th 2025 6:00am, by
Frontend Gets Smarter: AI's JavaScript Revolution
Apr 15th 2025 11:00am, by
Year of AI Utility: Moving From Early Wins to Long-Term Value
Apr 15th 2025 8:05am, by
Vibing Dangerously: The Hidden Risks of AI-Generated Code
Apr 16th 2025 11:00am, by
Slopsquatting: The Newest Threat to Your AI-Generated Code
Apr 16th 2025 9:00am, by
Seven Habits of Highly Effective AI Coding
Apr 16th 2025 6:00am, by
Code in Your Native Tongue: Amazon Q Developer Goes Global
Apr 10th 2025 5:00pm, by
Ironwood: Google's Answer to Nvidia in the AI Chip Wars
Apr 9th 2025 10:00am, by
Case Study: AI Agent Cuts API Connector Dev Time to Minutes
Apr 15th 2025 2:00pm, by
Use API Governance Tools for Better API Experiences
Apr 11th 2025 2:00pm, by
OpenAPI: How to Handle File Management
Apr 8th 2025 9:00am, by
Future of Platform Engineering Is About Much More Than AI
Apr 3rd 2025 12:00pm, by
DeepSource Releases Globstar Amid Semgrep Licensing Backlash
Apr 2nd 2025 5:00pm, by
JavaScript's Missing Link: Wasp Offers Full Stack Solution
Mar 26th 2025 2:00pm, by
Pagoda: A Web Development Starter Kit for Go Programmers
Mar 19th 2025 6:10am, by
Apollo: GraphQL Now Connects to REST APIs With Little Fuss
Mar 11th 2025 7:30am, by
Introduction to Backend Development
Mar 10th 2025 12:30pm, by
Laravel Adds Inertia To Stack and Offers React Starter Kit
Mar 4th 2025 10:00am, by
Year of AI Utility: Moving From Early Wins to Long-Term Value
Apr 15th 2025 8:05am, by
What Devs Should Know When Starting an Apache Kafka Journey
Apr 15th 2025 6:00am, by
Formula 1: Engineering When Every Millisecond Counts
Apr 11th 2025 9:24am, by
From BI to Predictive AI: Why Analysts Are the Heroes of the Next Data Frontier
Apr 10th 2025 11:00am, by
OpenSearch: What’s Next for the Search and Analytics Suite?
Apr 10th 2025 9:00am, by
Frontend Gets Smarter: AI's JavaScript Revolution
Apr 15th 2025 11:00am, by
Internal Projects: Working Inside the Panopticon
Apr 12th 2025 8:00am, by
New Laravel-Related Offerings Include Octane Alternative
Apr 12th 2025 5:00am, by
Three AI-Assisted Development Skills You Can Start Using Today
Apr 9th 2025 2:00pm, by
GitHub's New Security Campaigns Fix Security Debt With AI
Apr 9th 2025 11:00am, by
Build Scalable LLM Apps With Kubernetes: A Step-by-Step Guide
Apr 14th 2025 6:00am, by
Breakthrough: LLM Traces Outputs to Specific Training Data
Apr 9th 2025 8:30am, by
Agentic AI Is the Next Frontier in Enterprise Operations
Apr 8th 2025 10:00am, by
KubeCon Europe: How Kubernetes Handles 6G, LLMs and Deep Space
Apr 7th 2025 10:00am, by
Adopt World Models Today or Fall Behind Tomorrow
Apr 4th 2025 12:00pm, by
Vibing Dangerously: The Hidden Risks of AI-Generated Code
Apr 16th 2025 11:00am, by
Slopsquatting: The Newest Threat to Your AI-Generated Code
Apr 16th 2025 9:00am, by
JFrog Sounds Alarm on Crypto-Stealing Python Package
Apr 15th 2025 3:00pm, by
Agentic Access Is Here. Your Authorization Model Is Probably Broken.
Apr 15th 2025 1:00pm, by
Advanced Docker Scout Use Cases: Security Insights, Recommendations, and Remediation 
Apr 13th 2025 10:00am, by
Vibing Dangerously: The Hidden Risks of AI-Generated Code
Apr 16th 2025 11:00am, by
Case Study: AI Agent Cuts API Connector Dev Time to Minutes
Apr 15th 2025 2:00pm, by
Four New Areas Where AI Is Transforming Software Development
Apr 14th 2025 11:00am, by
The Interrupt Tax: Why Developer Productivity Is Measured in Silences
Apr 14th 2025 11:00am, by
Beyond ROWE: Why Results-Only Work Isn’t Always a Win
Apr 12th 2025 10:00am, by
Hyperlight Wasm: Azure Goes the Final Wasi Mile
Apr 3rd 2025 9:00am, by
Endor: WebAssembly-Based Server in the Browser
Mar 29th 2025 1:00pm, by
Should You Care About Fermyon Wasm Functions on Akamai?
Mar 28th 2025 1:00pm, by
Akamai Picks Up Hosting for Kernel.org
Mar 27th 2025 10:00am, by
Top 5 Uses of WebAssembly for Web Developers
Feb 16th 2025 7:00am, by
AI Operations CI/CD Cloud Services DevOps Kubernetes Observability Operations Platform Engineering
Year of AI Utility: Moving From Early Wins to Long-Term Value
Apr 15th 2025 8:05am, by Baris Gultekin
Four New Areas Where AI Is Transforming Software Development
Apr 14th 2025 11:00am, by Emilio Salvador
Agentic AI Is the Next Frontier in Enterprise Operations
Apr 8th 2025 10:00am, by Guo Wei
Why Cloud Native Infrastructure Is Non-Negotiable for GenAI
Apr 7th 2025 3:00pm, by Debojyoti Dutta
A Look at AIBrix, an Open Source LLM Inference Platform
Apr 4th 2025 7:00am, by Janakiram MSV
Seven Habits of Highly Effective AI Coding
Apr 16th 2025 6:00am, by Tariq Shaukat
Optimizing CI/CD for Trust, Observability and Developer Well-Being
Apr 15th 2025 10:00am, by Saqib Jan
What Devs Should Know When Starting an Apache Kafka Journey
Apr 15th 2025 6:00am, by Sandon Jacobs
Tackle IaC Tooling Complexity and Growing Cloud Costs in 2025
Apr 11th 2025 11:00am, by Ido Neeman
Reframing DevSecOps: Software Security to Software Safety
Apr 7th 2025 11:00am, by Josh Lemos
Mastering the Cloud: Saumen Biswas on Cutting Costs Without Cutting Corners
Apr 14th 2025 12:00pm, by Colin Bonini
Google Kubernetes Engine Customized for Faster AI Work
Apr 9th 2025 9:00am, by Joab Jackson
Apache Ray Finds a Home on the Google Kubernetes Engine
Apr 9th 2025 6:00am, by Joab Jackson
VMware Alternatives: A Strategic Guide to Modern Virtualization
Apr 4th 2025 8:00am, by Adam Swidler
Google Extends Gmail Client-Side Encryption to All Users
Apr 1st 2025 9:00am, by Joab Jackson
Harness Kubernetes Costs With OpenCost
Apr 16th 2025 10:00am, by Ram Iyengar
Optimizing CI/CD for Trust, Observability and Developer Well-Being
Apr 15th 2025 10:00am, by Saqib Jan
The Interrupt Tax: Why Developer Productivity Is Measured in Silences
Apr 14th 2025 11:00am, by Nishant Modak
Advanced Docker Scout Use Cases: Security Insights, Recommendations, and Remediation 
Apr 13th 2025 10:00am, by Advait Patel
Formula 1: Engineering When Every Millisecond Counts
Apr 11th 2025 9:24am, by Jennifer Riggins
Harness Kubernetes Costs With OpenCost
Apr 16th 2025 10:00am, by Ram Iyengar
The Kro Project: Giving Kubernetes Users What They Want
Apr 15th 2025 12:00pm, by Michelle Gienow
Build Scalable LLM Apps With Kubernetes: A Step-by-Step Guide
Apr 14th 2025 6:00am, by Oladimeji Sowole
Google Kubernetes Engine Customized for Faster AI Work
Apr 9th 2025 9:00am, by Joab Jackson
The Super Helm Chart: To Deploy or Not To Deploy?
Apr 8th 2025 6:00am, by Utku Darılmaz
DeepSource Releases Globstar Amid Semgrep Licensing Backlash
Apr 2nd 2025 5:00pm, by B. Cameron Gain
KubeCon Europe Day 1 Keynote: Can Observability Keep Up With LLMs?
Apr 2nd 2025 4:00pm, by B. Cameron Gain
Observability in K8s: Moving From Reactive to Predictive
Apr 2nd 2025 9:00am, by Lori Bertelli
ML and LLM Adoption Challenged Most Often by Observability
Mar 31st 2025 7:00am, by Lawrence E Hecht
What eBPF Means for Observability vs. Security
Mar 31st 2025 6:17am, by B. Cameron Gain
The Kro Project: Giving Kubernetes Users What They Want
Apr 15th 2025 12:00pm, by Michelle Gienow
Python Software Foundation Honors Ewa Jodlowska's Service
Apr 13th 2025 7:00am, by David Cassel
Beyond ROWE: Why Results-Only Work Isn’t Always a Win
Apr 12th 2025 10:00am, by Steve Fenton
Tackle IaC Tooling Complexity and Growing Cloud Costs in 2025
Apr 11th 2025 11:00am, by Ido Neeman
From POC to Production: Why GenAI Projects Often Stall
Apr 11th 2025 10:00am, by Arti Raman
Optimizing CI/CD for Trust, Observability and Developer Well-Being
Apr 15th 2025 10:00am, by Saqib Jan
Mastering the Cloud: Saumen Biswas on Cutting Costs Without Cutting Corners
Apr 14th 2025 12:00pm, by Colin Bonini
Local or Cloud: Choosing the Right Dev Environment
Apr 9th 2025 4:00pm, by Anita Ihuman
Why Cloud Native Infrastructure Is Non-Negotiable for GenAI
Apr 7th 2025 3:00pm, by Debojyoti Dutta
Five Years In, Backstage Is Just Getting Started
Apr 7th 2025 2:00pm, by Jennifer Riggins
C++ Developer tools Go Java JavaScript Programming Languages Python Rust TypeScript
EngFlow Makes C++ Builds 21x Faster and Software a Lot Safer
Apr 3rd 2025 3:00pm, by Darryl K. Taft
Memory-Safe C: TrapC's Pitch to the C ISO Working Group
Mar 12th 2025 7:00am, by David Cassel
Bjarne Stroustrup on How He Sees C++ Evolving
Mar 7th 2025 6:00am, by David Cassel
Curl's Daniel Stenberg on Securing 180,000 Lines of C Code
Feb 23rd 2025 6:00am, by David Cassel
Introduction to C++ Programming Language
Feb 11th 2025 6:00am, by TNS Staff
Local or Cloud: Choosing the Right Dev Environment
Apr 9th 2025 4:00pm, by Anita Ihuman
From BASIC to Vibes: Microsoft's 50-Year Code Evolution
Apr 4th 2025 5:00pm, by Darryl K. Taft
EngFlow Makes C++ Builds 21x Faster and Software a Lot Safer
Apr 3rd 2025 3:00pm, by Darryl K. Taft
Red Hat Arms Developers With AI-Powered Migration Tools
Apr 1st 2025 1:00pm, by Steven J. Vaughan-Nichols
Developer’s Guide to the Built-In Tools of OpenAI Agents SDK
Mar 26th 2025 9:12am, by David Eastman
Prepare Your Mac for Go Development
Apr 12th 2025 7:00am, by Damon M. Garn
Pagoda: A Web Development Starter Kit for Go Programmers
Mar 19th 2025 6:10am, by Loraine Lawson
Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#
Mar 18th 2025 7:00am, by David Cassel
Go Power: Microsoft's Bold Bet on Faster TypeScript Tools
Mar 12th 2025 1:00pm, by Darryl K. Taft and Loraine Lawson
Introduction to Go Programming Language
Jan 17th 2025 9:00am, by TNS Staff
JavaOne 2025: Talks, History, Community, and Scott McNealy
Apr 6th 2025 6:00am, by David Cassel
Java Modernizes: New Tools for AI and Quantum Age
Mar 26th 2025 7:00am, by Chris J. Preimesberger
Oracle Ships Java 24: 'AI Is So Yesterday' Says VP
Mar 19th 2025 10:00am, by Darryl K. Taft
Vulnerability-Free Java Containers: A Practical Guide
Mar 8th 2025 9:00am, by Eric Murphy
AI Tools Now Essential in Java Dev's Productivity Arsenal
Mar 6th 2025 3:00pm, by Darryl K. Taft
Frontend Gets Smarter: AI's JavaScript Revolution
Apr 15th 2025 11:00am, by Alexander T. Williams
New Laravel-Related Offerings Include Octane Alternative
Apr 12th 2025 5:00am, by Loraine Lawson
A Peek at What’s Next for Vue
Apr 5th 2025 6:00am, by Loraine Lawson
A Developer’s Guide to Server-Side JavaScript
Apr 3rd 2025 10:00am, by Martin Bach
Researchers Find Next.js Middleware Vulnerability
Mar 29th 2025 3:01am, by Loraine Lawson
JFrog Sounds Alarm on Crypto-Stealing Python Package
Apr 15th 2025 3:00pm, by Chris J. Preimesberger
A Developer’s Guide to Server-Side JavaScript
Apr 3rd 2025 10:00am, by Martin Bach
Level Up Your Python: Higher-Order Functions Explained
Apr 2nd 2025 12:00pm, by Jessica Wachtel
Rust Gets Its Missing Piece: Official Spec Finally Arrives
Mar 28th 2025 3:00pm, by Darryl K. Taft
Java Modernizes: New Tools for AI and Quantum Age
Mar 26th 2025 7:00am, by Chris J. Preimesberger
JFrog Sounds Alarm on Crypto-Stealing Python Package
Apr 15th 2025 3:00pm, by Chris J. Preimesberger
Python Software Foundation Honors Ewa Jodlowska's Service
Apr 13th 2025 7:00am, by David Cassel
NVIDIA Finally Adds Native Python Support to CUDA
Apr 2nd 2025 2:00pm, by Agam Shah
Level Up Your Python: Higher-Order Functions Explained
Apr 2nd 2025 12:00pm, by Jessica Wachtel
Insert Data into a MySQL Database via a Python Script
Mar 26th 2025 5:21am, by Jack Wallen
Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#
Mar 18th 2025 7:00am, by David Cassel
Go Power: Microsoft's Bold Bet on Faster TypeScript Tools
Mar 12th 2025 1:00pm, by Darryl K. Taft and Loraine Lawson
Oracle Won’t Release ‘JavaScript’ Without a Fight
Jan 11th 2025 5:00am, by Loraine Lawson
The Year in JavaScript: Top JS News Stories of 2024
Dec 27th 2024 6:30am, by Loraine Lawson
How OOP Developers Can Get To Know TypeScript Through Deno
Oct 19th 2024 8:00am, by David Eastman
AI Engineering / Security / Software Development

Vibing Dangerously: The Hidden Risks of AI-Generated Code

Vibe coding revolutionizes development speed, but security experts warn of potentially dangerous vulnerabilities lurking beneath AI-generated code.
Apr 16th, 2025 11:00am by
Featued image for: Vibing Dangerously: The Hidden Risks of AI-Generated Code
Featured image via Unsplash+.

Vibe coding has rapidly emerged as a revolutionary approach to software development. This methodology relies on large language models (LLMs) and natural language prompts to create code quickly, enabling developers — and increasingly non-developers — to build applications at unprecedented speeds.

Yet, while this approach offers big benefits for rapid prototyping and idea validation, it also casts a significant security shadow that many users may overlook in their rush to embrace this new paradigm.

The Promise and Peril of Vibe Coding

Vibe coding fundamentally changes how software is created. Instead of manually writing every line of code, developers describe their desired functionality in natural language (via either typed or voice prompts), and AI tools generate the implementation.

As Janet Worthington, an analyst at Forrester Research, told The New Stack, this approach “focuses on using generative AI to achieve desired outcomes based on the inventor’s vision, offering a fast way to prototype ideas, without having to understand the underlying code or the complexities of the system.”

This speed is especially valuable for startups and solo developers, she said. It allows for rapid learning cycles and quick demonstrations of concepts to potential investors.

But as Brad Shimmin, an analyst at the Futurum Group, told The New Stack, because vibe coding “relies heavily on iteration with the developer feeding the project codebase back into an LLM repeatedly and ‘not’ carefully reviewing each step (otherwise, it wouldn’t be ‘vibing’), the opportunity to introduce inefficiencies, outright errors, and vulnerabilities is more likely to grow over time without a solid CI/CD practice.”

In a post on X, Abhishek Sisodia, a Toronto-based software engineer for Scotiabank Digital Factory, wrote: “Vibe coding is the new no-code — except now it’s AI doing the heavy lifting instead of drag-and-drop builders. The real question is, will it last, or are we about to see a wave of half-baked AI-built products?”

He also wrote: “AI can write your code, but it won’t protect your app! I realized many new builders are vulnerable to simple attacks.”

Why AI-Generated Code Is Vulnerable by Design

At the core of vibe coding’s security challenges lies a fundamental issue with how AI code models are trained.

Eitan Worcel, CEO at Mobb, told The New Stack: “GenAI was trained on real-world code, much of which contains vulnerabilities that may or may not be exploitable — not because the code was safe, but because other contextual mitigations masked the risk. When GenAI produces new code, it often reproduces those insecure patterns and without the original context, those same vulnerabilities are not mitigated and can become exploitable.”

This training data problem means the AI effectively inherits the security flaws present in its training set. As Forrester’s Worthington notes, “LLMs are probabilistic rather than deterministic, making it challenging to guarantee any level of consistency for AI-generated code, even insecure code.”

Common Vulnerabilities in AI-Generated Code

Security experts identify several categories of vulnerabilities that frequently appear in AI-generated code:

  1. Injection attacks: Danny Allan, CTO of Snyk, highlights that “because AI typically lacks comprehensive validation for user inputs or improper handling of data, injection vulnerabilities are also a common issue with AI code generation.” This includes SQL injection, a vulnerability that David Mytton, CEO of Arcjet, a developer security software provider, told The New Stack he has observed in vibe-coded applications.
  2. Improper permissions: Allan also notes that “a very common issue with AI-generated code is improperly configured permissions, potentially leading to the exposure of proprietary, sensitive organizational information or privilege escalation attacks.”
  3. Path traversal vulnerabilities: Willem Delbare, founder and CTO of Aikido Security, told The New Stack, “AI can easily write code vulnerable to path traversal that would be flagged immediately by security tools. The code may run perfectly fine, but it could allow attackers to access unauthorized files and directories.”
  4. Insecure dependencies: The AI might recommend “open source libraries that are insecure, poorly maintained, or don’t exist,” according to Worthington.
  5. Licensing issues: Many LLMs trained on open source code “may suggest code that is an actual code snippet from other open source software without proper attribution or adherence to licensing obligations, which is a liability for organizations,” Worthington adds.

The 0-1 vs. 1-10 Problem

Delbare shed light on an important distinction in how vibe coding impacts different stages of development: “Vibe coding is great for quickly coding solutions to complex requirements, but a typical app has many features, and AI still lacks memory and a big enough context window to handle architectural-level mistakes and interactions between features.”

This observation points to a critical issue: while vibe coding excels at the 0-1 phase (initial creation), it struggles with the 1-10 phase (scaling, hardening, and production-readiness). The more complex an application becomes, the more these security vulnerabilities compound and interact in potentially dangerous ways, these security experts said.

Real-World Consequences

The security risks of vibe coding aren’t merely theoretical. Matt Johansen, a cybersecurity expert and founder of Vulnerable U, told The New Stack, “We’re already seeing examples on social media of solo vibe coders facing attacks against their apps that they launched and they were previously bragging about how fast and easy coding it and going live were.”

One such example comes from a developer known as LeoJr94 on X (formerly Twitter), who built a SaaS product “with Cursor, zero handwritten code.” After proudly sharing his accomplishment, he later posted: “guys, i’m under attack ever since I started to share how I built my SaaS using Cursor… maxed out usage on api keys, people bypassing the subscription, creating random shit on db… as you know, I’m not technical so this is taking me longer that usual to figure out.”

This case illustrates how the lack of security expertise, combined with the false confidence that AI-generated code can inspire, creates real vulnerabilities that attackers are quick to exploit.

Can’t You Just Tell the AI to ‘Make It Secure’?

One question is whether simply instructing the AI to produce secure code could solve these problems. Security experts are unanimous in their response: It doesn’t.

Worcel explained: “It’s a good instinct, and certain prompts can sometimes nudge the model toward better practices — but unfortunately, it’s not sufficient. The fundamental issue is that generative AI models were trained on massive amounts of publicly available code, which includes plenty of insecure patterns. There simply isn’t a large enough dataset of code that’s been thoroughly vetted for security to teach these models what not to do.”

But Allan of Snyk is even more direct: “Absolutely not, traditional application security practices should always be front and center when addressing vulnerabilities. Think of it this way: autopilot was created in 1912, but that doesn’t mean we fly our airplanes with no pilots in the cockpit.”

The False Confidence Problem

A particularly insidious aspect of vibe coding is that it can give inexperienced developers a false sense of security. Nick Baumann, product marketing manager at Cline, told The New Stack that security concerns “stem not from AI doing the coding, but rather from the user who has less experience building out systems and the appropriate security they require.”

Meanwhile, Jason Bloomberg, an analyst at Intellyx, takes a stronger stance.

“Security is but one of many issues with vibe coding. Using AI to generate code is an invitation for hallucinations, bugs, vulnerabilities, and all manner of other pitfalls,” he told The New Stack.

Bloomberg added that many experienced developers “are finding that vibe coding isn’t worth the trouble — and some actually think it’s a joke. Less seasoned developers (and their bosses) may see it as a shortcut, at their peril.”

Moreover, Arcjet’s Mytton said he sees another dimension to this problem.

“If you don’t know there are security issues, how do you know if they’re fixed? Some of them? All of them?” he said.

Practical Security Solutions

Despite these challenges, experts offer several approaches to mitigate the security risks of vibe coding:

  1. Automated security scanning: Mobb’s Worcel argues that “the answer lies in automation — not just for finding issues, but for fixing them. Auto-remediation, integrated into the development process, can help catch and resolve problems without slowing anyone down.”
  2. Secure API handling: Allan emphasizes that “one of the most critical steps is securing API keys — these should never be exposed in client-side code but rather stored securely on the server side to prevent unauthorized access.”
  3. Input validation: Allan also highlights the importance of treating “all user inputs as potentially harmful and implementing strict validation to guard against vulnerabilities like SQL injection and cross-site scripting (XSS) attacks.”
  4. Code review: Even with AI-generated code, human review remains essential. Allan said that “every line must undergo thorough code reviews to ensure adherence to security best practices.”
  5. Security-aware tooling: Nigel Douglas, head of developer relations at Cloudsmith, in a statement, said “without security-aware tooling or policy enforcement, enterprises could end up unknowingly introducing vulnerabilities into their ecosystem.”
  6. Test edge cases: Aikido’s Delbare recommends testing “edge cases that go beyond the happy path — especially with external APIs, larger datasets, and unexpected inputs.”

Moreover, Delbare added, “If you’re building a real app that handles sensitive data, you should:

  • Use open source tools like OpenGrep to identify security issues
  • Have the AI focus specifically on potential security issues in its generated code.”

Finding the Balance

The key to leveraging vibe coding’s benefits while mitigating its risks lies in finding the right balance between speed and security. As LeoJr94 reflected after his security incident: “The more I vibe code, the more I learn. The more I learn, the less I want to vibe code.”

This doesn’t mean abandoning vibe coding entirely but rather approaching it with appropriate caution and supplementing it with solid security practices.

As Shimmin said, “Vibe coding doesn’t do away with testing, documenting, and deploying; if anything, because it operates somewhat autonomously, it pushes more work to the end of the lifecycle.”

Security Cannot Be Ignored

Vibe coding represents a significant evolution in software development, making coding more accessible and accelerating the path from idea to implementation. However, its security implications cannot be ignored.

The combination of AI models trained on insecure code patterns, the lack of comprehensive security knowledge among many practitioners, and the speed-focused nature of the approach creates a perfect storm for security vulnerabilities.

As the industry continues to embrace this new paradigm, it must simultaneously develop security practices specifically tailored to AI-generated code. This includes better automated security tools, improved education for developers, and a healthy dose of caution when deploying vibe-coded applications to production.

The future of secure vibe coding will likely involve a partnership between human expertise and AI capabilities — where the AI accelerates development, but humans provide the security oversight and contextual understanding that current AI models lack.

One developer known as @Method1cal, who is founder of RedStack Labs, a cloud and cybersecurity consultancy in Vancouver, BC, Canada, is already working on this.

“We developed secure coding rules for @cursor_ai to help vibe coders produce more secure code,” he posted.

In addition, Sisodia has created a cheat sheet for vibe coding security.

In the meantime, developers embracing vibe coding would do well to heed Allan’s aviation metaphor: the AI may be the autopilot, but a human pilot should always remain in the cockpit, especially when it comes to security.

TRENDING STORIES
Group Created with Sketch.
Darryl K. Taft covers DevOps, software development tools and developer-related issues from his office in the Baltimore area. He has more than 25 years of experience in the business and is always looking for the next scoop. He has worked...
Read more from Darryl K. Taft
SHARE THIS STORY
TRENDING STORIES
TNS owner Insight Partners is an investor in: Real.
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.