← Back

Vibe Hacking: The Evil Twin of Vibe Coding

· Nikita Nosov

In February 2025, Andrej Karpathy coined the term vibecoding, urging us to “embrace exponentials.”1 He described a workflow where you “barely touch the keyboard,” but instead “see stuff, say stuff, run stuff, and copy paste stuff, and it mostly works.”

It’s been over 10 months since then, and the term has deeply rooted itself in our consciousness, mass culture, and the programming world. It has evolved into various branches: we’ve seen vibe planning, spec-driven development, and even the less pleasant vibe debugging :).

But today I want to talk about a critical, darker offshoot: Vibe Hacking, the evil twin of vibe coding.

The Discovery

I recently wrote about how I managed to compromise most community SaaS projects just by opening DevTools and applying a tiny bit of effort. In retrospect, that approach perfectly embodies Vibe Hacking.

I didn’t invent this term. Interestingly, I discovered the method partially through practice, arrived at the concept myself, and only later found out it’s already actively discussed in AI cybersecurity circles. But this independent discovery allows me to look at it from a more authentic angle — not from the perspective of mass media or large publishers expressing concern, but from the perspective of a regular developer guy, like me.

What is Vibe Hacking?

In my opinion, Vibe Hacking is when you combine a basic understanding of how the internet works (frontend-backend connection, APIs) with massive applied AI knowledge, directing it all towards breaking systems.

Using natural language, attackers can direct an AI to:

  • Scout the perimeter of public or internal systems
  • Parse massive data dumps to find overlooked credentials or patterns
  • Generate convincing phishing that perfectly mimics an organization’s tone
  • Slip through cracks via misconfigured bots or third-party integrations
  • Steal sensitive data while adapting tactics in real-time

You, as a user, essentially gaslight AI chat bots or agent systems, convincing them they are doing a good deed rather than hacking defenseless sites. And it’s terrifyingly simple to do.

The Scale of the Problem

Here’s a sobering number: 87% of organizations have already experienced an AI-powered cyberattack in the past year.2

Attackers can build end-to-end campaigns for mass vulnerability scanning orchestrated by SOTA LLM models. AI has limitless internet access, can Google a specific CVE exploit in a split second, and then apply it.

Such an agent system doesn’t even need to carefully analyze vulnerabilities. It can simply iterate thousands of times until it finds a crack, because the cost of intelligence for such an agent is exponentially lower than human labor.

This isn’t theoretical. In September 2025, Anthropic documented the first large-scale AI-orchestrated espionage campaign. A state-sponsored group used Claude Code to attack ~30 targets. The AI executed 80-90% of the campaign with minimal human intervention. At peak activity, the AI was making thousands of requests per second — a speed impossible for humans.3

Combine these factors:

  1. Most sites contain common vulnerabilities
  2. Vibe-hacking AI agents can scan for these non-stop
  3. Upscaling — this can be effortlessly scaled to industrial levels

Anthropic calls this a “fundamental shift in cybersecurity.”3

The Modern Paradox

This leads us to a fascinating paradox.

In the current era, the barrier to entry for creating an internet product is lower than ever. People don’t strictly need to know any technology to ship a product. But this ease of creation spawns massive security holes.

A recent study from NYU and Stanford tested vibe-coded solutions directly: out of all functionally correct code generated by AI agents, only 10.5% was actually secure. More than 80% of working solutions contained vulnerabilities.4 Another study found that up to 40% of AI-generated code contains security flaws.5

A non-technical person can certainly create a product, but can they protect it? That is the question.

The paradox is that in times when you don’t need to learn a bunch of technologies to build a product, you REALLY need to learn a bunch of technologies to build a RELIABLE, WORKING, DURABLE, and SECURE product. Not just another piece of AI Slop that endangers your users.

Conclusion

Of course, developers today don’t need to memorize syntax or manually type every line of code. But it is absolutely MANDATORY to understand the underlying principles of how your code works.

You must know the bottlenecks. You must have a deep reservoir of fundamental knowledge to direct the AI towards security, rather than into an abyss.

Vibe coding is a superpower, but with great power comes great responsibility. Without deep understanding, you’re not a superhero — you’re just a danger to yourself and your users.

Footnotes

  1. Karpathy, A. (2025). Original vibecoding tweet

  2. Programs.com. (2025). AI Cyberattack Statistics

  3. Anthropic. (2025). Disrupting a covert influence operation targeting Claude 2

  4. NYU & Stanford. (2025). SusVibes: AI Code Security Benchmark

  5. Infosecurity Magazine. (2025). Vibe Coding Security Risk