Why now?
Vibe hacking is
the new gold rush.

In the California gold rush of 1848, the people who got rich weren't always the miners. They were the ones who showed up early with shovels to sell. The gold was real, but the real opportunity was in serving the people rushing toward it.

Something structurally similar is happening right now in software security — except instead of shovels, the product being sold is automated exploitation. And instead of a few thousand miners, there are millions of vibe-coded apps being deployed every month by people who have never thought about what happens when someone with bad intentions finds their webhook endpoint.

The scale is different this time

AI coding tools — Cursor, Claude, Lovable, Bolt, v0 — have dramatically lowered the barrier to shipping software. That's genuinely good. People who had ideas but couldn't write code can now build and deploy. The number of apps going to production has exploded.

But scale changes the economics of attack. When there were a few thousand professional developers building payment-connected apps, security researchers and attackers had to hunt individually. Automating attacks across thousands of targets wasn't worth it — the surface area was too fragmented, the codebases too different.

The homogeneity problem

Here's what makes the current moment uniquely dangerous: when millions of developers use the same AI tools with the same prompts, they produce structurally similar code. The same patterns. The same mistakes.

Ask Claude or GPT-4 to "build a Stripe webhook handler" and you'll get something that works — payment events get processed, the happy path functions. What you'll almost never get, without specifically asking, is webhook signature verification. The AI wasn't trained to include it because most of the training data didn't include it.

This means there are now hundreds of thousands of applications with the same missing webhook signature check, the same unprotected refund endpoint, the same price field being passed from the client. The attack surface is vast and uniform. That's exactly what you need to automate exploitation at scale.

The economics of automated attacks

In traditional security, a skilled attacker would spend hours or days finding and exploiting a specific target. The ROI was limited by their time. You had to be worth attacking.

Automated attacks change that calculation entirely. A script that scans for unverified webhooks costs almost nothing to run against millions of endpoints. Even a 0.1% hit rate against small SaaS apps generating $1,000/month in revenue becomes a meaningful revenue stream if you can run the script continuously.

You don't need to be a valuable target anymore. You just need to be vulnerable and findable. Both of those are now trivially achievable if your app is public and AI-generated.

Why the window is right now

This situation won't last forever. AI coding tools will get better at generating secure code. Security-conscious defaults will become standard in the frameworks people use. The industry will develop better tooling for catching these issues at the vibe-code level.

But that's a two to three year horizon. Right now, in 2025, there is a massive and growing gap between the number of apps being shipped and the security review they're receiving. The apps that shipped 18 months ago are sitting in production with vulnerabilities no one has looked at.

The wave will hit before the tooling catches up. The question is whether your app is going to be on the receiving end of it, or whether you've already closed the obvious doors.

What the first wave looks like

I've thought a lot about what a coordinated automated attack against the vibe-coded SaaS ecosystem looks like. The template is already there — it's just smaller attacks, repeated against many targets instead of one.

Someone writes a scanner that identifies apps built with common vibe-coding stacks. It looks for exposed Stripe-related endpoints, tests for the absence of webhook signature verification, probes for price manipulation vulnerabilities. It runs continuously against new deployments on Vercel and similar platforms. When it finds a hit, it flags it for manual or automated exploitation.

This isn't speculative. Versions of this already exist for older vulnerability classes. The only reason it hasn't happened at scale to vibe-coded apps yet is that the apps themselves are still relatively new. The window between "app ships" and "app gets found" is closing.