The revelation of a cybersecurity flaw in the Orchids platform raised a warning CISOs and CIOs should heed if they let their teams dabble in vibe coding. Cybersecurity researcher Etizaz Mohsin exploited a vulnerability recently to gain access to a project BBC journalist Joe Tidy started on Orchids, an AI-powered platform for app building.
The researcher’s efforts shed light on hypothetical damage a hacker could cause through the vulnerability in a software tool that is gaining in popularity.
“If you are currently using vibe coding tools in your environment, you have to look at an incident like this and say, ‘How do we protect ourselves?'” said Tim Erlin, security strategist at API security company Wallarm.
The security vulnerability
Though the exact details of the vulnerability were not disclosed, Tidy said he asked the platform to build a game based on the BBC News website. Mohsin gained access to this project via zero-click attack. He edited Tidy’s code and accessed his computer.
Mohsin reportedly discovered the vulnerability in the Orchids platform in December. He then spent weeks attempting to get in touch with the company, according to Tidy’s reporting. He eventually got a response saying his messages may have been overlooked among many others.
Orchids did not respond to InformationWeek’s request for comment.
The ongoing question of risk vs. reward
CIOs and CISOs face constant pressure to adopt AI tools, even as the technology continues to evolve, potentially exposing new risks.
“We’re giving these programs access to our code, to our developers themselves, to our GitHub repositories or GitLab repositories or whatever it may be,” said Steve Cobb, CISO at SecurityScorecard, a third-party cyber risk management company. “The difference is … the velocity and really not understanding what potential back-end risk may be present.”
Enterprises that use Orchids or other vibe-coding platforms should plan for the possibility of new exposure. “This vulnerability exists and has existed, and so now I think what those customers need to worry about is looking back at the past: ‘Could I have been breached?'” Cobb said.
Orchids is one among many vibe coding tools on the market today. Mohsin did not find security vulnerabilities in other vibe coding platforms, such as Claude Code and Lovable, according to Tidy’s coverage. But you don’t have to look far to see other security concerns in the AI space; security vulnerabilities continue to swirl around OpenClaw, for one.
Even with the potential of a breach, vibe coding and other agentic AI tools continue to find an audience.
“Larger organizations have been more willing to forego some of the due diligence they might have done in the past because of the speed at which their competitors are adopting these tools and getting the advantages of them,” Erlin said. “That may change, as incidents like this one occur.”
CIOs may increasingly consider the security capabilities these types of platforms have in place.
“As companies are able to produce enterprise-level or enterprise-grade software with fewer and fewer resources, they’re going to have to make more explicit choices about where they put in place process and human beings for things like responding to reported security vulnerabilities,” Erlin said.
Security issues such as the Orchids vulnerability may reignite the debate over disclosure. Should vulnerabilities like this be disclosed as soon as they are discovered? Or should vendors be notified first, followed by disclosure?
“I think it’s going to make this responsible disclosure conversation come back to the forefront of the cybersecurity space in a way that it hasn’t for a few years at least,” Erlin said.
Cobb said he hopes to see vendors and their customers form closer partnerships when it comes to security for vibe coding and other tools.
“If you just take what Anthropic is doing and what OpenAI and all these AI companies, including Orchids and others, are doing, they’re providing such great value to the business. And as a part of that value, they really need to step up their security game and help us do the due diligence process,” he said.
