Turns out, letting AI tools like Claude and GitHub Copilot "vibe code" your software into existence is a bit like asking a toddler to design a skyscraper. It might look fine from a distance, but the structural integrity? Less so. Researchers have now confirmed that this hands-off approach is churning out code riddled with security flaws.
Someone at Georgia Tech's Systems Software & Security Lab (SSLab) noticed nobody was actually tracking these specific AI-induced vulnerabilities. So, naturally, they built a "Vibe Security Radar." Because apparently, that's where we are now.
The Radar That Sniffs Out Bot Blunders
The Vibe Security Radar is a digital bloodhound, sniffing through public vulnerability databases. It finds errors, then digs into the code's history to see who — or what — introduced the bug. If it spots an AI tool's digital fingerprints, it flags the issue. So far, it's confirmed 74 cases of AI-generated vulnerabilities, with 14 of those being the kind of critical risks that make IT departments sweat, and another 25 in the high-risk category.
We're a new kind of news feed.
Regular news is designed to drain you. We're a non-profit built to restore you. Every story we publish is scored for impact, progress, and hope.
Start Your News DetoxThese aren't minor typos; we're talking about command injection, authentication bypasses, and server-side request forgery. The real kicker? AI models tend to repeat their mistakes. Find one bug in an AI-generated codebase, and you can likely find it in thousands of others. It's the digital equivalent of a faulty cookie cutter mass-producing crumbly biscuits.
Catching the Ghost in the Machine
Right now, the radar relies on markers like co-author tags or bot emails. But what happens when the AI is a bit more subtle, or developers clean up the metadata? The team's next move is behavioral detection. Turns out, AI-written code has its own quirky tells: unique patterns in how it names variables, structures functions, and even handles errors.
The goal is to identify AI code from the code itself, no metadata required. This means they'll soon be catching a lot more of these digital slip-ups. And the problem is growing, fast. In the latter half of 2025, the radar found 18 cases. In just the first three months of 2026? A whopping 56, with March alone racking up 35 — more than all of 2025 combined. Let that satisfying, terrifying number sink in.
Your AI-Coded Future, Reviewed
So, if you're a developer enjoying the breezy world of vibe coding, here's the cold splash of reality: that AI-generated output still needs a thorough review. Especially anything touching user input or authentication. Because when an AI agent builds something without proper authentication, it's not a simple oversight; it's a design flaw baked in from the start.
And as AI tools like Claude become more independent, writing entire features and making architectural decisions, the potential attack surface is expanding rapidly. Attackers might not need to breach a company's main systems; they just need to find a vulnerability in a poorly reviewed AI model's protocol server. Which, if you think about it, is both impressive and slightly terrifying.
