The Vibe Coding Wake-Up Call: When Your AI Assistant Becomes the Attack Surface
A BBC reporter's laptop was compromised without a single click — through an AI coding platform called Orchids. No malicious download, no phishing link, no user error. This is what happens when AI agents get deep system access before anyone secures them properly.
I use Claude Code regularly. It sits on my machine, it has access to my project files, it executes commands on my behalf. When it works, it's genuinely impressive — the kind of tool that makes you rethink how much of the grunt work in a technical workflow actually needs a human in the loop.
So when I read about a BBC reporter getting their laptop wallpaper changed to "You Are Hacked" through an AI coding platform called Orchids — without clicking a single malicious link, without downloading anything, without doing anything wrong at all — I didn't think that's surprising. I thought that was always going to happen.
And the three reasons why aren't separate problems. They connect.
What Actually Happened
Cybersecurity researcher Etizaz Mohsin demonstrated a critical, unpatched security flaw in Orchids — a popular "vibe coding" platform — to BBC journalist Joe Tidy. Orchids is one of a new generation of AI coding tools that lets people with zero technical experience build apps and games simply by describing what they want in plain English.
Orchids claims a million users. Companies including Google, Uber, and Amazon are listed on their website. It's rated among the top platforms for vibe coding according to multiple benchmarks.
Here's what Mohsin did. While Tidy was using Orchids to build a small test project, Mohsin exploited a vulnerability in the platform to access Tidy's project remotely — without any interaction from the victim. He inserted a small line of code into the thousands of lines the AI had already generated. Code that Tidy couldn't read, in a file he wasn't watching, doing something he had no idea was happening.
Shortly after, a file called "Joe is hacked" appeared on the desktop. The wallpaper changed to an image of an AI hacker skull.
That's a demonstration. In a real attack, it wouldn't be a wallpaper. It would be a keylogger. A credential stealer. A reverse shell. A camera and microphone tap. All delivered through a zero-click attack — meaning the victim didn't have to do anything to get compromised.
Mohsin had been trying to report this to Orchids since December 2025 — roughly two months. Around a dozen messages across email, LinkedIn, and Discord. The company finally responded this week, saying they had "possibly missed" his warnings because the team was "overwhelmed with inbound" messages.
Orchids has fewer than 10 employees. They were founded in 2025.
The Three Problems That Connect
1. AI Agents With Deep System Access Are a Disaster Waiting to Happen
This isn't just about Orchids. This is about the fundamental architecture of how agentic AI tools work.
For an AI coding assistant to do its job — write files, run commands, install packages, modify configs — it needs deep access to your machine. That's not a bug. That's the feature. The whole value proposition of tools like Claude Code, Cursor, Windsurf, and Lovable is that they can act on your behalf, not just advise.
But that access cuts both ways. The same permissions that allow the AI to create a file can be abused to create a malicious file. The same ability to execute code can be pointed at something you never intended to run. When the AI agent is the one with the keys to your system, compromising the agent is compromising you.
Mohsin put it directly: the vibe-coding revolution has created an entirely new class of security vulnerability that simply didn't exist before these tools. He's right. We haven't fully reckoned with what it means to hand autonomous execution capabilities to software that connects to external services, processes untrusted input, and operates with minimal human oversight between each action.
2. Vibe Coding Is Dangerous in the Wrong Hands
The whole point of vibe coding is that you don't need to understand what the code does. You describe what you want, the AI writes it, and it runs. That's the pitch. That's why it's exploding in popularity.
But here's the problem: if you can't read the code, you can't audit the code. And if you can't audit the code, you have absolutely no way to know if something malicious has been inserted into it.
Tidy was watching thousands of lines of AI-generated code scroll past on his screen. He had no idea a single line had been added that gave an attacker access to his machine. How could he? He didn't write any of it. He couldn't tell the difference between legitimate generated code and an injected payload.
This is the fundamental tension with vibe coding. The lower the barrier to building software, the lower the barrier to deploying compromised software. Non-technical users are precisely the ones least equipped to spot when something has gone wrong inside the AI's output.
Kevin Curran, Professor of Cybersecurity at Ulster University, framed it clearly: without discipline, documentation, and review, AI-generated code often fails under attack. Those are exactly the three things vibe coding, by design, removes from the equation.
3. Companies Are Shipping AI Agents Faster Than They Can Secure Them
Orchids was founded in 2025. Fewer than 10 employees. A million claimed users. So "overwhelmed with inbound" that they missed two months of vulnerability reports from a researcher who tried to reach them over a dozen times across multiple channels.
This is the startup-moves-fast reality colliding head-on with the security-takes-time reality. And in cybersecurity, when those two things collide, it's always the users who absorb the impact.
Orchids is not an outlier. The entire vibe coding space is moving at the same speed. New platforms launching every few weeks, each one racing to capture users before the next competitor, each one granting the same deep system access, each one with a security posture that reflects a team of under 10 people who are overwhelmed.
This Isn't Just a Vibe Coding Problem
Mohsin specifically said he found this flaw in Orchids, and has not yet found the same vulnerability in Claude Code, Cursor, Windsurf, or Lovable at time of writing.
But that caveat shouldn't make anyone comfortable. It means one specific researcher hasn't found the same flaw in those other platforms yet. It doesn't mean the flaws aren't there. It doesn't mean a different researcher hasn't already found them. It doesn't mean they won't appear next month when a new feature ships in a hurry.
The Orchids case is a proof of concept for a class of attack. The specific vulnerability matters less than what it demonstrated: that an AI coding platform with deep system access can be turned into a zero-click malware delivery mechanism against a completely passive victim.
If you're running any agentic AI tool on your primary work machine right now — and I include myself in this — that's a risk profile worth thinking about seriously.
What You Should Actually Do
Use a dedicated machine or VM for AI agent experimentation. Your primary work machine — the one with corporate credentials, VPN access, client data, SSH keys — should not be where you run AI agents that have deep system access. Get a secondary machine or spin up a VM. Treat it as a sandboxed environment. This is the top recommendation from security professionals and it's the right one.
Don't assume the code is clean just because the AI wrote it. If you're using vibe coding platforms without a developer reviewing the output, you're trusting code you can't audit. At minimum, run AI-generated projects in isolated environments before deploying anything connected to real systems or real data.
Use disposable accounts for experimentation. When testing new AI agent tools, don't authenticate with your main accounts. Create throwaway credentials. Assume the tool has access to everything you log into while using it.
Check what permissions your AI tools actually have. Claude Code and others use configuration files that control what they're allowed to do autonomously. In my last post I covered how FortiGate attackers abused settings.local.json to pre-approve offensive tools without per-command approval. The same principle applies defensively — know what your AI agents are authorized to do, and apply least privilege.
Stay updated on vulnerabilities in the tools you use. Orchids had an unpatched critical vulnerability for at least two months while a researcher was actively trying to report it. Don't assume a popular tool is a secure one. Follow security advisories, GitHub issues, and community channels for any AI platform you rely on.
Quick Reference: AI Agent Safety Checklist
Action | Why |
|---|---|
Use a dedicated machine or VM | Limits blast radius if the agent is compromised |
Review AI-generated code before running | You can't spot injected malware in code you can't read |
Use disposable accounts for testing | Limits credential exposure |
Audit agent permissions regularly | Least privilege applies to AI agents too |
Follow security advisories for your tools | Vendors patch slowly — know before you're hit |
My Take
We're in a period where the hype around AI agents is running significantly ahead of the security maturity of the platforms delivering them. That gap is where attacks happen.
I'm not saying stop using these tools. I use them. The productivity gains are real. But the security community has been saying for months that agentic AI — software that acts autonomously with deep system access — is a fundamentally new attack surface that isn't being taken seriously enough.
The Orchids story is the first mainstream, publicly demonstrated, real-world proof of that concern. A BBC reporter's laptop, compromised without a single click, through a tool they were using completely normally.
It won't be the last.
The convenience of letting AI handle things for you is real. But so is the risk. Right now, those two things are not being balanced honestly — not by the companies building these platforms, not by the marketing around them, and not by most of the people adopting them.
That's worth knowing before you hand another AI agent the keys to your machine.
Source: AI coding platform's flaws allow BBC reporter to be hacked — BBC News, February 13, 2026
Researcher: Etizaz Mohsin — BlackHat conference speaker, security researcher