Absolutely.

Before vibe coding became too much of a thing we had the majority of our business coming from poorly developed web applications coming from off shore shops. That’s been more or less the last decade.

Once LLMs became popular we started to see more business on that front which you would expect.

What we didn’t expect is that we started seeing MUCH more “deep” work wherein the threat actor will get into core systems from web apps. You used to not see this that much because core apps were designed/developed/managed by more knowledgeable people. The integrations were more secure.

Now though? Those integrations are being vibe coded and are based on the material you’d find on tutorials/stack etc which almost always come with a “THIS IS JUST FOR DEMONSTRATION DONT USE THIS” warning.

We also see a ton of re-compromised environments. Why? They don’t know how to use CICD and just recommit the vulnerable code.

Oh yeah, before I forget, LLMs favor the same default passwords a lot. We have a list of the ones we’ve seen (will post eventually) but just be aware that that’s something threat actors have picked up on too.

EDIT: Another thing, when we talk to the guys responsible for the integrations or whatever was compromised a lot of the time we hear the excuse “we made sure to ask the LLM if it was secure and it said yes”.

I don’t know if they would have caught the issue before but I feel like there’s a bit of false comfort where they feel like they don’t have to check themselves.

> We also see a ton of re-compromised environments. Why? They don’t know how to use CICD and just recommit the vulnerable code.

This one sticks out to me. A while back the UK did a security assessment of Huawei with a view to them being a core infrastructure provider for the 5G rollout, and the conclusion wasn't that they were insecure, it was that they were ~10 years away from being able to even claim they were secure.

Contrasting this to my current employer, where the software supply chain and provenance is exceptional, it's clear to me that vibe coding doesn't get you far in terms of that supply chain, and is arguably a significant regression from the norm.

Third party dependencies, runtime environments/containers, build processes, build environments, dev machines, source control, configuration, binaries, artifact signing and provenance, IDEs, none of these have good answers in the vibe-coded ecosystem and many are harmed by it. It will be interesting to see how the industry grapples with this when someone eventually pushes back and says they won't use your software because you don't have enough context about it to even claim it's secure.

OH MAN I almost forgot.

We’ve had a few of these stem from custom LLM agents. The most hilarious one we’ve seen was one that you could get to print its instructions pretty easily. In the instructions was a bit about “DON’T TALK ABOUT FILES LABELED X”.

No guardrails other than that. A little creative prompting got it to dump all files labeled X.

This is the best thread response I've seen in a while, made me chuckle because i can't understand how people say they vibe code stuff and it works (My experience is not that) and i just feel out of the loop reading all other HN posts and comments about how good it is.

> We have a list of the ones we’ve seen (will post eventually)

I'd like to see if LLM use pw like 123456

please mention your company

if you have been doing this for some years, i'm gonna guess that you're good at it

and that there are plenty of potential customers here that could use your help