40%
of GitHub Copilot outputs in security-relevant scenarios contained vulnerabilities (Pearce et al., NYU/Stanford)
1,300+
malicious npm packages removed in 2023, many targeting AI-suggested package names
6
predictable vulnerability classes found consistently across vibe-coded codebase audits
5
security gates that catch vibe coding vulnerabilities before production: SAST, secret scan, dependency audit, manual auth review, DAST

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Vibe coding security risks are not theoretical. A 2022 study from NYU and Stanford found that GitHub Copilot generated insecure code in approximately 40 percent of security-relevant scenarios tested across 89 different tasks, including buffer overflows, SQL injection, and hardcoded credentials: and that was before the practice scaled to entire production codebases.

The question practitioners are actually asking is not whether AI-generated code can be insecure. It can. The real question is whether your team has the controls in place to catch what the model gets wrong before it ships.

Vibe coding is not going away. Cursor has millions of active users. GitHub Copilot is embedded in enterprise IDEs across Fortune 500 companies. Windsurf and similar tools are accelerating adoption further. Teams that refuse to engage with these tools will simply lose ground to teams that use them carefully.

The security problem with vibe coding is not that AI models are malicious. It is that they are optimized for functional correctness, not adversarial resilience. An AI model generating a login form will make it work. It will not, by default, think about what happens when an attacker submits a 10,000-character username, a crafted JWT, or a SQL fragment in the email field.

This guide breaks down the six vulnerability patterns that appear most reliably in vibe-coded codebases, drawn from published research and codebase audits. It then covers the specific tooling gates your security team should require before any AI-generated code merges to production.

Risk 1: Insecure Dependency Selection

When a developer asks an AI model to add authentication to a Node.js application, the model reaches for whatever package was most prevalent in its training data. That might be a library that was widely used two years ago and has since accumulated unpatched CVEs, been abandoned by its maintainer, or been quietly compromised in a supply chain attack.

The practical failure mode: a vibe-coded Express application pulls in a JWT library pinned to a version with a known algorithm confusion vulnerability, or uses a Mongoose plugin that has not had a security patch in 18 months. The code runs fine in development. It passes functional tests. It ships to production. The dependency audit never ran.

The second and more dangerous failure mode is package hallucination. AI models occasionally generate import statements for packages that do not exist, or that exist only as names the model constructed from patterns in its training data. Attackers monitor for hallucinated package names and publish malicious packages under those names, waiting for developers to run npm install and pull the payload into their build pipeline. Security researchers have demonstrated this technique against multiple AI coding tools.

What this looks like during a codebase audit: check the package-lock.json or yarn.lock for packages with no npm homepage, no GitHub repository, or zero weekly downloads. Cross-reference every dependency that handles cryptography, authentication, or network requests against the GitHub Security Advisory Database before accepting a vibe-coded PR.

Risk 2: Hardcoded Secrets and Credentials

This is the most consistent finding in vibe-coded codebases. AI models generate example code with placeholder values that look like real credentials. Developers accept the generated code, wire it up to their actual secrets by editing the string in place rather than moving the value to an environment variable, and commit the file.

The pattern appears in dozens of forms: a database configuration file ships with a connection string containing the actual production password; a generated authentication module includes a JWT_SECRET hardcoded as a 32-character random-looking string the developer never replaced; an AWS SDK integration has access keys embedded directly in the source file.

These secrets end up in version control. Once they are in git history, rotating the value in the current file is insufficient. The credential exists permanently in every commit that contains it, accessible to anyone with repository access and to automated secret scanners that index public repositories within minutes of a push.

The mitigation is non-negotiable: GitLeaks or TruffleHog must run as a pre-commit hook and as a CI gate. Run TruffleHog against the full git history of any vibe-coded repository on first audit: not just the current HEAD. The history is where the credential you rotated three weeks ago still lives.

JWT secrets

Models generate plausible-looking secret strings that developers leave in place rather than replacing with environment variable references.

Database connection strings

Full connection URLs including username and password appear in generated configuration files and ORM setup code.

API keys

Third-party service integrations are generated with key fields populated by strings that match the format of real credentials.

Private keys and certificates

Generated TLS or SSH configuration occasionally includes inline key material in PEM format.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Risk 3: Missing Input Validation

AI models generate happy-path code. When you ask a model to build a user profile endpoint, it generates the code that handles the case where the user sends a valid request. It does not generate the code that handles the case where the user sends a crafted SQL fragment in the username field, a JavaScript payload in the bio field, or an internal IP address in the avatar URL field.

This is not a model failure. It is a framing problem. The developer described what the feature should do for a legitimate user. The model generated exactly that. Adversarial inputs were never part of the specification.

The vulnerability patterns that result are predictable from OWASP Top 10. SQL injection appears in database queries that concatenate user input directly into query strings instead of using parameterized queries. Cross-site scripting appears in template rendering that outputs user-supplied content without encoding. Server-side request forgery appears in features that fetch URLs provided by users, where the generated code does not validate that the target is an external host before making the request.

SSRF is particularly common in vibe-coded applications because the feature description sounds benign: "fetch the metadata for this URL the user provided." The model generates functional code that makes the request. It does not add validation that prevents the user from pointing that request at the EC2 metadata endpoint at 169.254.169.254.

Risk 4: Broken Authentication Patterns

Authentication code generated by AI models tends to be functionally correct and security-incomplete. The login flow works. Passwords get hashed. Sessions get created. But the implementation skips the defenses that protect users when something goes wrong.

CSRF protection is the most common omission. A vibe-coded form submission handler will process the request but will not validate a CSRF token unless the developer specifically asked for CSRF protection, which most do not.

JWT implementation errors are the second most common pattern. AI models generate JWT verification code that calls the verify function with the correct library. They frequently fail to pin the allowed algorithm, leaving the implementation open to algorithm confusion attacks where an attacker downgrades from RS256 to HS256 and forges tokens using the public key as the HMAC secret. The code looks correct on inspection. The vulnerability is in what is absent, not what is present.

The audit approach for auth flows is manual review with a checklist, not automated scanning. SAST tools catch some patterns but miss structural gaps. Confirm that every state-changing endpoint validates a CSRF token, that JWT verification pins the algorithm explicitly, and that sessions regenerate on login and logout.

Missing CSRF tokens

Generated form handlers process requests without validating that the request originated from a legitimate browser session.

JWT algorithm confusion

Verification code that does not pin the allowed algorithm is vulnerable to downgrade attacks using the public key as an HMAC secret.

Non-expiring sessions

Generated session configuration frequently omits TTL settings, leaving sessions valid indefinitely.

No server-side session invalidation

Logout implementations that delete only the client cookie leave the server-side session record active and reusable.

Risk 5: Prompt Injection in AI-Assisted Applications

This risk category is specific to vibe-coded applications that themselves use an LLM. When a developer asks an AI model to build a feature that takes user input and passes it to another AI model, the generated code almost never sanitizes or structurally separates the user input from the system instructions before making the API call.

The vulnerability is straightforward. The application concatenates a system prompt with user-supplied text and sends the combined string to the model. A user who understands this architecture can craft input that overrides the system instructions, extracts confidential prompt content, or causes the model to perform actions outside its intended scope. In applications with tool-calling enabled, this can mean the model executes file operations, API calls, or database queries that the attacker specified through the injected input.

The mitigation requires structural separation of trusted and untrusted content. User input should be passed in a separate message role, not concatenated into the system prompt. Applications with tool-calling should apply strict allowlists to what tools can be triggered and what parameters they accept. Output from the model should be treated as untrusted if it will be rendered to other users or used to trigger downstream operations.

This is a new attack surface that most security teams are not yet scanning for systematically, which makes it a high-value target for attackers in vibe-coded applications.

Risk 6: Supply Chain Risk from AI-Recommended Packages

The packages an AI model recommends are constrained by its training data cutoff. A model trained through late 2024 recommends packages that were active and maintained as of that date. It has no visibility into what happened to those packages after training ended.

A package that was safe when the model learned about it may have been compromised since. Maintainer account takeovers in the npm ecosystem result in malicious versions being published under trusted package names. A model that confidently recommends a package because it appeared in thousands of training examples cannot warn you that the maintainer's account was phished three months ago and version 2.4.1 contains a credential harvester.

Vibe-coded applications tend to accumulate dependencies faster than hand-written code because the friction of adding a dependency is lower when the model is doing the selection. A hand-written codebase might have 40 direct dependencies with 300 transitive. A vibe-coded codebase of similar functionality might have 80 direct with 600 transitive, because the model reached for a specialized package to handle each subproblem rather than using a standard library primitive.

The gate for this risk is non-negotiable: npm audit or its equivalent must run in CI and block merges on high-severity findings. Snyk adds reachability analysis that identifies which vulnerabilities are actually exploitable given the application's code paths.

What Security Teams Should Gate Before Merge

The controls that catch vibe coding vulnerabilities are not new. What is new is the urgency of enforcing them consistently when AI-generated code can produce an entire feature's worth of vulnerable surface in minutes rather than days.

SAST scanning before merge is the baseline. Semgrep, CodeQL, and Bandit (for Python) catch the most mechanical vulnerability patterns: SQL injection via string concatenation, hardcoded credential strings, known-insecure function calls. These tools will not catch every vibe coding vulnerability, but they catch the ones that appear most reliably.

Secret scanning must run as a pre-commit hook, not just in CI. By the time a secret reaches the CI pipeline, it has already been committed to local history. GitLeaks with a pre-commit hook stops secrets before they enter version control. TruffleHog against the full git history catches anything that made it through.

Dependency auditing with npm audit and Snyk should block on high-severity CVEs. This catches the outdated package problem and some compromised package scenarios. Manual review of authentication flows and data validation is not optional and cannot be replaced by automated tooling. DAST on staging, using OWASP ZAP or Burp Suite, provides the adversarial perspective that static analysis cannot.

None of these controls are exotic. All of them exist in mature DevSecOps pipelines. The change vibe coding requires is treating them as mandatory rather than aspirational.

SAST scan before merge

Semgrep or CodeQL configured with security rulesets catches injection patterns, insecure function calls, and hardcoded credential strings.

Secret scanning as pre-commit hook

GitLeaks blocks secrets before they enter version control. TruffleHog audits full git history on initial codebase review.

Dependency audit in CI

npm audit blocks on high-severity CVEs. Snyk adds reachability analysis to prioritize findings that are actually exploitable.

Manual auth and validation review

A checklist-driven human review of every authentication flow and every location where user input touches a privileged operation.

DAST on staging

OWASP ZAP or Burp Suite running against a staging environment provides adversarial runtime coverage that static analysis misses.

The bottom line

Vibe coding is not inherently unsafe. The security risk scales directly with how much generated code your team accepts without understanding. The vulnerability patterns are predictable, consistent across codebases, and detectable with tooling that already exists. Security teams that treat SAST, secret scanning, dependency auditing, and manual auth review as mandatory gates on AI-generated code will catch the problems before they ship. Teams that treat these controls as optional will find them in production instead.

Frequently asked questions

Is vibe coding safe for production applications?

Vibe coding is safe for production when your team enforces the same security gates required for any code: SAST scanning, secret scanning, dependency auditing, manual review of authentication and input validation, and DAST on staging. Without those gates, vibe-coded applications ship with predictable vulnerability patterns at higher rates than hand-written code because AI models optimize for functional correctness rather than adversarial resilience.

What are the biggest security risks of AI-generated code?

The six most consistent risks in vibe-coded codebases are: insecure dependency selection (outdated or hallucinated packages), hardcoded secrets committed to version control, missing input validation enabling injection attacks, broken authentication patterns (missing CSRF tokens, weak JWT implementation), prompt injection in applications that themselves use LLMs, and supply chain risk from AI-recommended packages that have since been compromised or abandoned.

How do I audit a vibe-coded codebase for security issues?

Start with TruffleHog against the full git history to find secrets committed and rotated but still in history. Run npm audit or Snyk against all dependencies. Run a SAST tool with security rulesets against the full codebase. Then do manual review of every authentication flow and every location where user input touches a database query, template render, or outbound HTTP request. Document what you find before requesting fixes: the pattern density tells you how much of the codebase needs re-examination.

Does GitHub Copilot introduce security vulnerabilities?

Research from NYU and Stanford (Pearce et al., 2022) found that Copilot generated insecure code in roughly 40 percent of security-relevant scenarios tested. Copilot has improved since then, but the fundamental limitation remains: it generates code that matches patterns in its training data, not code that has been reviewed against adversarial inputs. Copilot is a productivity tool that requires the same security review process as any other code.

What security tools catch vibe coding vulnerabilities?

GitLeaks and TruffleHog catch hardcoded secrets. Semgrep, CodeQL, and Bandit catch injection patterns and insecure function calls through static analysis. npm audit and Snyk catch vulnerable dependencies. OWASP ZAP and Burp Suite catch runtime vulnerabilities through dynamic testing. No single tool covers all six vulnerability classes: effective coverage requires combining static analysis, secret scanning, dependency auditing, and dynamic testing.

Can vibe coding introduce supply chain attacks?

Yes, through two mechanisms. First, AI models recommend packages based on training data that does not reflect current security status, so a recommended package may have been compromised after the model's training cutoff. Second, AI models occasionally hallucinate package names that do not exist. Attackers publish malicious packages under those hallucinated names and wait for developers to install them. Running npm audit in CI and reviewing unfamiliar packages before installation are the primary controls against both vectors.

Is vibe coding safe if you use a secure AI model?

The security of the AI model you use for code generation is largely separate from the security of the code it generates. Even models with safety training and security-focused system prompts generate code with the vulnerability patterns described here, because the limitation is structural: models generate functional code based on the description they receive. An adversarial perspective on the feature being built is not part of the prompt, so it is not part of the output. Model choice matters less than the review process applied to the output.

How is vibe coding different from using a code snippet from Stack Overflow?

The risk profile is similar but the scale is different. Stack Overflow snippets are typically small, well-scrutinized, and integrated into code a developer wrote and understands. Vibe-coded features can span hundreds of lines of generated code that the developer has not read in detail. The developer knows what the feature does but may not know how it does it, which means they cannot identify the security-relevant implementation choices the model made. The vulnerability surface is larger and the reviewer's familiarity with the code is lower.

Sources & references

  1. Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions: Pearce et al., NYU/Stanford (2022)
  2. OWASP Top 10: Open Worldwide Application Security Project
  3. GitHub Security Advisory Database
  4. GitLeaks: Secret Detection for Git Repositories
  5. Snyk: Developer Security Platform

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.