Aardvark Daily

Please visit the sponsor!

The vibe vulnerability

I have written previously about the risks associated with vibe-coding and now those potential vulnerabilities are starting to surface in real-world situations.

There are two types of vibe-coding disasters, one accidental and one deliberate.

In the first instance, the AI coding agents can effectively destroy projects when they run amok -- driven by halucinations or some other anomoly that can see hours or weeks of work utterly trashed in a few seconds.

A great example of this is documented in this story from ArsTecnica where Google's Gemini effectively deleted files and then admitted "I have failed you completely and catastrophically".

One thing I've noticed is that AI is very good at apologising for its mistakes -- perhaps that's because it gets lots of practice.

A good place to keep an eye on just how well vibe-coding AI agents are working (or not) is the forum over at Cursor.com. Sadly, there are still plenty of horror stories.

Fortunately, problems such as these can be mitigated to some degree by the use of a sensible, multi-tiered backup schedule -- although obviously significant time and money could still be lost to doing restores and having to resubmit the change requests.

The biggest and most difficult vulnerability to mitigate that can be created by vibe-coding however, is that of malicious code generation.

I have no doubt that right now, armies of evil sods are busy posting huge repositories of code segments with malicious payloads to repositories and websites across the face of the internet.

Why would they do that?

Well since these AI coding agents accumulate their knowledge by a constant scraping of the Net, the more code segments that hackers can post, the more likely it is that their evil and not obvious payloads will be incorporated into the datasets from which these coding agents derive their knowledge.

IT departments are cutting back on skilled programmers and replacing them with "prompt engineers" who spend their days vibing up apps at a rate that full code walkthroughs are simply not possible -- even if those "engineers" were able to understand the code that's been generated. This means it has become increasingly likely that there are now some significant applications that have trojan horses embedded in them, without the knowledge of those who created them.

Imagine when a hacker successfully convinces an AI coding agent that their fragment of code is just the thing for performing a commonly used operation. If that fragment also contains an obfuscated back door that, under pre-determined circumstances calls a malware server somewhere on the Net then there's little to stop an entire system from being taken down.

The hackers simply need to seed the Net with their clever boobytraps and then sit back and wait for traffic to appear on their malware servers.

This would be a long-term strategy that could pay massive dividends if copies of their backdoor end up in hundreds or thousands of vibe-coded applications across the internet -- on phones, in corporate software and perhaps even crucial infrastructure systems.

When you dumb-down program creation to this level, dumb things can happen.

I've grabbed my popcorn and now I sit and wait for the first reports.

Carpe Diem folks!

Please visit the sponsor!

Here is a PERMANENT link to this column

Rank This Aardvark Page

Change Font