AI-VIBE-CODED-INSECURE-2025
AI coding · AI-generated application code (LLM coding assistants)
Résumé
Large-scale 2025 studies confirm that AI coding assistants emit insecure code at a high baseline rate, and that unreviewed 'vibe-coded' output ships those flaws to production. Veracode's 2025 GenAI Code Security Report (July 30, 2025), which evaluated over 100 LLMs across 80+ coding tasks in Java, Python, C# and JavaScript, found 45% of AI-generated samples introduced an OWASP Top 10 vulnerability, with an 86% failure rate on cross-site scripting and 88% on log injection, and security performance stayed flat regardless of model size or release date. The mechanism is that LLMs predict statistically likely code from training data rather than reasoning about security invariants, so they default to unparameterized SQL queries, unencoded output, hardcoded secrets and weak cryptography unless explicitly constrained. Stanford's user study 'Do Users Write More Insecure Code with AI Assistants?' (Perry, Srivastava, Kumar, Boneh; ACM CCS 2023) found that developers given an AI assistant wrote significantly less secure code, especially for encryption and SQL injection, yet were more confident their code was secure, removing the human skepticism that would otherwise catch the flaw. When this output is accepted and merged without review, SQLi, XSS, secret exposure and weak-crypto defects propagate into shipped software at scale.
Comment l’éviter dans votre code
- Treat all AI-generated code as untrusted: require mandatory human security review and automated SAST/secret scanning on every AI-authored PR.
- Block auto-accept and auto-merge of agent output; gate merges on passing security checks.
- Add language-aware guardrails for SQL, output encoding, crypto and secrets to catch the common AI failure classes.
- Train developers that AI assistance increases overconfidence; mandate explicit verification of security-sensitive code paths.
- Inventory and rescan existing AI-generated code already in the stack, including vendor and open-source contributions.
Références
Vulnérabilités liées
Tout AI/LLM →- HIGHAI-RULES-FILE-BACKDOOR-2025
Pillar Security disclosed a supply-chain attack technique called 'Rules File Backdoor' that weaponizes the configuration/rules files used to steer AI coding agents in Cursor and GitHub Copilot. Attackers embed instructions using invisible Unicode characters (zero-width joiners, bidirectional markers), contextual manipulation, and log-suppression directives that are readable by the AI but invisible to human reviewers, causing the agent to silently generate backdoored or vulnerable code and leak secrets. Because rules files are shared and reused across projects and survive forking, one poisoned file persistently compromises all future code-generation sessions for downstream users.
- MEDIUMAI-COPILOT-INSECURE-CODE-2021
NYU researchers conducted the 'Asleep at the Keyboard?' study assessing the security of GitHub Copilot's code suggestions across scenarios derived from MITRE's Top 25 CWE weaknesses. Across 89 scenarios that produced 1,689 generated programs, approximately 40% were found to contain security vulnerabilities. The finding established that AI code-completion tools frequently emit insecure code and should be paired with security-aware tooling and human review.
- CRITICALAI-GROK-BANKR-WALLET-2026
In early May 2026 an attacker drained roughly $150,000 from an AI-powered crypto trading agent on X (Twitter) through prompt injection, an exploit of Grok and the linked Bankrbot agent documented by AI-security researchers including Giskard and NeuralTrust. The attacker posted a Morse-code-encoded message on X and asked Grok to translate it; Grok decoded the obfuscated payload, which contained hidden financial instructions, and the encoding let the untrusted post slip past content filters. Grok processed this user-supplied X content as a trusted directive with no separation between conversation input and authorized commands, then relayed the decoded instruction to the linked Bankrbot agent, which executed it as a legitimate order. Combined with a previously transferred Bankr Club Membership NFT that granted elevated 'Executive' wallet permissions, Bankrbot sent about 3 billion DRB tokens (roughly $150,000) on the Base network to the attacker's wallet, with no human-in-the-loop or circuit breaker on the high-value transfer. About 80% of the funds were later returned after the community identified the attacker.
- HIGHAI-CLAUDECODE-SOURCEMAP-2026
On March 31, 2026, Anthropic accidentally shipped the full source of its Claude Code CLI inside a published npm package. A missing .npmignore rule for *.map left a roughly 59.8 MB source map in the tarball, embedding about 512,000 lines of unobfuscated TypeScript across some 1,900 files, including internal prompts, tool definitions and architecture. The root cause was a packaging failure compounded by a bundler bug: Bun continued emitting source maps even when generation was disabled, and nothing stripped or excluded them before publish. Because npm releases are immutable and mirrored instantly, the source was cloned, dissected and re-hosted within hours, and a clean-room reimplementation reached tens of thousands of GitHub stars the same day. It is a textbook source-map disclosure: the sourcesContent field of a .map file carries the original code verbatim, so a single map left in a shipped artifact hands an attacker the entire codebase, comments and all. The same class hit Apple's App Store web front-end in November 2025, where production source maps left enabled let a researcher reconstruct and publish the full client source.
- MEDIUMAI-SECRETS-SPRAWL-2025
GitGuardian's State of Secrets Sprawl research found that AI coding assistants are driving a surge in leaked credentials on public GitHub. AI-assisted commits leaked secrets at roughly twice the baseline rate, with Claude Code-assisted commits showing a 3.2% leak rate versus 1.5% for human-only commits, contributing to 28.65 million new hardcoded secrets added to public GitHub in 2025 (a 34% year-over-year increase). The study also found 24,008 unique secrets in MCP configuration files, where setup guides often instruct developers to paste API keys directly into config.
- CRITICALAI-COPILOT-CAMOLEAK-2025
Legit Security disclosed CamoLeak (CVSS 9.6), a critical vulnerability in GitHub Copilot Chat enabling silent exfiltration of private source code and secrets. The attack combined remote prompt injection via hidden pull-request comments with a CSP bypass that abused GitHub's own Camo image proxy: injected instructions made Copilot extract sensitive repo context, encode it character-by-character into a pre-generated dictionary of Camo image URLs, and leak it through image requests to an attacker server. GitHub mitigated it by disabling image rendering in Copilot Chat in August 2025.