How CTOs Can Rein In Vibe Coding Cybersecurity Risks

Forbes

14-07-2025

Founder & CEO of Excellent Webworld. A tech innovator with 12+ years of experience in IT, leading 900+ successful projects globally.
In 2025, "vibe coding"—creating software simply by describing your requirements in plain English (i.e., writing a prompt)—has become the IT industry's biggest buzzword.
AI tools like Cursor, Lovable and Firebase AI have democratized software creation, enabling even nontechnical users to launch apps and prototypes at unprecedented speed. Andrej Karpathy, who coined the term "vibe coding" in February 2025, explains: "It's not really coding—I just see stuff, say stuff, run stuff, and copy paste stuff, and it mostly works."
While AI-generated code delivers speed and faster time to market, a darker reality is emerging: The same ease that lets anyone spin up a website in minutes allows cybercriminals to do the same. For example:
• In 2025, attackers exploited GitLab Duo's AI coding assistant through hidden prompts, causing AI-generated code to leak private source and inject malicious HTML.
• Similarly, a Stanford student used prompt injection on Bing Chat to reveal hidden system instructions, exposing sensitive internal data. A direct result of AI-generated responses trusting manipulated user prompts.
Urgent action is needed to safeguard digital assets. In this article, I'll share my thoughts on the dark side of vibe coding based on my readings and analysis and why business leaders must rethink their cybersecurity strategies.
How Vibe Coding Accelerates Cyberattacks
AI-powered vibe coding tools often import external software components automatically. However, these components aren't always thoroughly checked, creating significant business risks.
Some of these software components may even be malicious in disguise. Hackers use "slopsquatting" and "typosquatting," or uploading fake software packages with names nearly identical to trusted ones. If a company's AI tool pulls in one of these malicious packages, it can trigger data breaches, system failures or costly downtime.
Another significant threat is that, as a recent study found, major AI code tools produce insecure code. Nearly 48% of AI-generated code snippets had exploitable vulnerabilities.
These aren't just theoretical risks. One prominent case involved the Storm-2139 cybercrime group, which hijacked Azure OpenAI accounts by exploiting stolen API credentials. They bypassed Microsoft's security measures, generating policy-violating and potentially harmful outputs at scale.
As a result, security teams are facing large consequences from AI coding. For example, a recent survey found that, while accidentally installing malicious code was relatively rare, 60% of these incidents were rated as highly significant when they did occur.
The Human Factor: Overreliance And Erosion Of Security Skills
Vibe coding enables people without technical backgrounds—business managers, marketers and more—to build apps using AI tools. However, many lack cybersecurity training, so critical safety steps are often skipped.
This problem grows when teams trust AI-generated code too much, believing it's safe just because a machine produced it. As organizations lean on AI, they risk losing essential security skills and oversight. Without human review and ongoing training, hidden threats can slip through, putting the entire business at risk.
In my experience advising digital transformation projects, I've seen teams skip code reviews when using AI tools, assuming the technology is infallible. This overconfidence can be costly; one overlooked vulnerability can compromise an entire system.
The Real-World Business Impact Of Security Breaches From Vibe Coding
Compliance violations will likely grow as AI-generated code can fail to meet stringent regulatory standards.
With the advent of the EU AI Act and stricter U.S. cybersecurity frameworks, regulators now require organizations to demonstrate robust controls over AI-generated software. Noncompliance can mean monetary penalties, restricted market access and lasting reputational damage that can be very difficult to overcome.
For enterprise leaders, the message is clear: Unchecked AI-generated code introduces systemic vulnerabilities that threaten financial performance and long-term resilience, which are crucial for any organization to thrive in today's digital economy.
What Business Leaders Must Do To Prevent This Nightmare?
Business leaders face a crossroads as AI-enabled "vibe coding" reshapes software development. The convenience and speed are undeniable, as are the hidden cybersecurity risks.
To protect your organization, take these proactive steps:
• Deploy automated security scanning tools to catch vulnerabilities in real time.
• Mandate human code reviews for all AI-generated outputs.
• Schedule regular, independent security audits to detect hidden threats.
• Embed security checks throughout the software development life cycle.
• Educate all teams about the risks of AI-driven code to build a security-first culture.
• Closely monitor AI tool usage; treat every new code as a potential risk.
• Establish clear policies for AI code adoption and escalation protocols.
These steps must be continuous, not just periodic, to keep pace with evolving threats.
As AI redefines what's possible, those prioritizing security will not only mitigate risk but also unlock new growth opportunities. Companies that thrive will treat cybersecurity as a catalyst for innovation, embedding trust and resilience into every digital initiative.
The choice is clear: Lead the charge in securing the AI-driven era, or risk being left vulnerable.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?