The Dark Side of Vibe Coding We Need to Talk About

Generative AI has made it easy for people to think of themselves as graphic designers or video producers, and it’s now transforming them into software developers. Known as vibe coding, this trend allows people with little or no HTML experience to write code using GenAI exclusively, which poses obvious safety and security concerns. Vibe coding may have opened the doors to coding to everyone, but this trend is starting to wear thin on those involved in producing software or those who need to use it.

In recent months, the rise of vibe coding has started to infiltrate not only large companies, like Microsoft or Anthropic, but also applications developed internally within the open source community. With the ability to code on the fly, being able to fix or contribute to projects has never been easier, but it has also started to cause havoc with the overabundance of vibe code submissions, forcing several maintainers to do everything possible to prevent this from happening to their project. One of the most commonly used computer tools, Curl, which allows downloading via the command line, has shut down its bug bounty program due to an influx of ambiance-coded attempts to demand money. Some have even turned to “vibe hacking”.

Vibe coding is bad for software development because of the potential lack of knowledge on the part of the person creating the code. Because people are trying to deliver code that they may not fully understand, problems that arise cannot be resolved as easily. Imagine being asked to build a car, but you’ve only ever seen a car and never examined how it actually works. Once the car starts emitting black smoke, how are you supposed to fix it? This is a catch-all way of looking at how ambience encoders work.

A report from InfoQ highlights that even though Tailwind CSS — a framework for web design — is more popular than ever, documentation visits are down 40%. This means more people are using Tailwind to create HTML, but fewer people are following up when they run into an issue or want to know the nuances of the software they’re using to develop. Following this trend, Stack Overflow, which was the primary resource for answering a wide range of programming questions, has seen traffic disappear since the launch of ChatGPT.

Computer literacy is declining everywhere, even though we carry one in our hands or pockets almost every day. What were once considered basic tasks, like navigating a file system, are being lost to new generations of users, who are then turning to AI to write code for their programs. The main concern here is that GenAI models are designed to always attempt to provide an answer and are trained to behave in a certain way based on past interactions with users – to the point that if the chatbot doesn’t have the answer, it will try to provide one, known as “AI hallucinations.”

AI-generated programs created by those who don’t understand what they’re doing are increasingly dangerous, because the person behind the keyboard may not understand what they (or the AI) have created. This, in turn, exposes the end user to risk due to software packages that do not behave as expected or present unknown security risks. Looking at discussions about open source projects on forums, many conversations focus on the fact that the person providing software, such as the plugins for media hosting platform Jellyfin, cannot recognize the potential risk this poses to the user. This is why, in recent weeks, Apple decided to remove a mood coding app from its App Store, because it cannot mitigate the dangers of anyone deploying code.

In the right hands, AI-generated code could potentially be put to good use, but several reports have shown that large companies, like Nvidia and Meta, have actually stolen works from the web to train AI models. GenAI is built on top of other people’s works, which can primarily be viewed through image and video generators. AI trainers harvest tons of content from the web and plug it into the model’s information list, then that content is used to create something when asked, without license or credit to the original source.

The same goes for AI code. The vast majority of information that Claude Code can provide comes directly from manuals, forums, and other resources that have spent time and effort. With no real way to determine where information comes from, open source software risks being removed due to the use of code that could be stolen.

If, for example, the ReactOS project, which aims to recreate Windows in an open source method, were to one day be removed from Microsoft, this would immediately neutralize the project. With generative AI and vibe coding, users often have no way to verify where the code comes from. This could get worse, as Microsoft has now enabled CoPilot training outside of GitHub projects by default.