Vibe Coding Is the New Open Source—in the Worst Way Possible

Summary

Developers are increasingly using AI to generate chunks of code — a practice dubbed “vibe coding” — much like they have relied on open source libraries. WIRED warns this shortcut is amplifying software-supply-chain risks because AI can regurgitate vulnerable or low-quality code, produce inconsistent outputs, and obscure authorship and audit trails. Security researchers and firms such as Edera and Checkmarx highlight that AI-written code lacks the transparency and accountability mechanisms familiar from open source workflows, and surveys suggest a large share of organisational code is already AI-generated while few have formal controls in place.

Key Points

Vibe coding uses AI to produce quick, reusable code snippets, accelerating development but introducing security blind spots.
AI training data can include old or vulnerable code, meaning known flaws may reappear in new projects.
AI-generated outputs vary between calls, so different developers using the same model can receive different code for the same task, complicating consistency and review.
Traditional open source safeguards — visible commits, pull requests, clear authorship and audit trails — are often missing or fragmented with AI-generated code.
Checkmarx survey: about a third of respondents reported >60% of their organisation’s code was AI-generated in 2024, but only 18% had an approved-tools list for vibe coding.
Vibe coding can disproportionately harm small businesses and vulnerable groups who adopt low-effort AI tooling without resources for robust security review.
Experts urge applying lessons from open source supply-chain security to AI-driven development, or risk widespread, hard-to-trace vulnerabilities.

Context and Relevance

As AI tools become tightly integrated into software development, the landscape of code provenance and accountability is changing fast. For security teams, software engineers and technology leaders, this article explains why the shift to AI-assisted code isn’t just about productivity — it’s a material security threat that intersects with software-supply-chain risk, compliance and operational resilience. It connects to ongoing industry trends: heavy uptake of LLMs in engineering workflows, debates about model training data quality, and a rising need for governance and approved-tool lists.

Author style

Punchy. The writer frames vibe coding as an urgent security headache rather than a niche convenience, signalling that the issue matters now for everyone from individual devs to enterprise security teams.

Why should I read this?

Look — if you write, ship or sign off on code, this matters. Vibe coding is fast and handy, but it can sneak vulnerabilities into products with no obvious trail back to the cause. Read it to avoid being surprised by a nasty supply-chain bug that came from a hurried AI snippet. Saves time, potential breach drama and finger-pointing later.