The App That Ate Itself

It has been my guilty pleasure right now to watch the dumpster fire that is vibecoding. Like girl - hair in rollers, slippers on, bowl of popcorn with extra butter - watching the vibecoding 'I gave AI full control of my program and it deleted it all'. Just prompting to the wind - closing your eyes and pressing send. But the amount of people who have bought into that being plausible, I am not sure I can forgive that level of Love Island Drama.

Collins Dictionary made it Word of the Year, if you didn't know. Vibe coding. The idea that you can describe an app to an AI and it just... builds it. No code. No understanding. Just vibes and "No Mistakes" (This is an important distinguisher). Andrej Karpathy coined the term in February 2025 and by April 2026 we've had three major security breaches in a single week from platforms built exactly this way. Fourteen months from cute buzzword to systemic crisis. I watch tech... and even for tech that's fast.

And I have been LIVING for the chaos.

A friend of mine, who I love, but who has no business building software, built an app last month. Whole thing. Login page, database, user profiles. He showed it to me on a Saturday like he'd built a deck with his own hands. Except he hadn't touched a single nail. He described a deck to a robot, and the robot built it while he drank a beer. He was beaming. I was already mentally placing bets on when it would break. I didn't have the heart to tell him - but I could still watch.

A week. That's how long it lasted. The thing about building something really fast... is you kind of want to make additions, or fix it... really fast. He, specifically, wanted to add notifications. Went back to the AI, described what he wanted. The AI added notifications. Wow. Success. Another beer... It also, without mentioning it, rewrote part of the login system. He didn't notice because he doesn't read code. He vibes. Two days later users can't log in. He goes back to the AI. Fix the login. AI fixes the login, breaks the notifications. Fix the notifications. Notifications work, user profiles are broken. Every fix creates a new problem somewhere else and I am watching this unfold in real time over text messages like episodes dropping weekly. I can't help. I follow tech - I don't build it. I live it. But my day job is living experiences... not building them.

This is the thing it has taken about 9 months to figure out. The circular reference problem. The AI doesn't remember what it built. It doesn't have a map of the whole system. Even if it does... It doesn't look at it if you don't tell it to... It looks at whatever you're pointing at and changes it. Like handing someone a wrench and a blindfold and saying fix the leak. They'll tighten something. Whether it's the right something is genuinely a coin flip. And every time they tighten the wrong thing, you hand them back the wrench and say try again. The code gets more tangled with every cycle. Not because the AI is bad. Because the AI is doing exactly what it's designed to do. Complete the prompt. Move on. Forget. Definitely not go back and look at everything as a collective experience.

My friend is on iteration fifteen, and I don't know how to tell him this - but I don't think this will be a love match. I asked him if he'd considered hiring someone who actually writes code. He said yeah but this is free. And that's the whole pitch isn't it. The app is free to build. The security is free to ignore. The vulnerability is free to exploit. The only part that costs money is the breach and by then it's his users' problem not his. If he isn't even willing to put money into it... why does he think it is viable? I think the vibe doesn't stop at the coding.

Here's where I stopped laughing and started paying attention, because it isn't just my friend building a dorky bit-app while drinking a beer and keeping me entertained. The Next Web ran a piece this week about Lovable. Vibe coding platform. 6.6 billion dollar valuation. Eight million users. Their platform left every user's source code, database passwords, and AI chat histories exposed for 48 days through a basic API flaw. A security researcher found it, reported it through their bug bounty program, and the company closed the ticket without escalating. The vulnerability stayed open for another month and a half. This is not my friend's weekend project. This is a company worth more than most airlines.

The numbers across the whole space are genuinely horrifying. 40 to 62 percent of AI generated code contains security vulnerabilities. 91.5 percent of vibe coded apps had at least one vulnerability from AI hallucination in Q1 2026. Georgia Tech is tracking CVEs directly caused by AI coding tools. January, six. February, fifteen. March, thirty five. The line goes one direction.

ASo now we are putting the popcorn down and paying attention. Where I put the work in. An IEEE study measured what happens when you keep asking the AI to improve its own code. Five rounds of refinement. 37.6 percent increase in critical vulnerabilities. The more you ask it to fix things, the worse it gets. Not because it's failing. Because it's succeeding at the wrong objective. It's completing prompts. It's not maintaining architecture. Those are different things and nobody building these tools seems interested in explaining the difference to the eight million people using them.

Heard of Moltbook? The social network for AI agents that launched in February? Built entirely through vibe coding. Zero lines written by a human. The founder said so publicly like it was a selling point. Security researchers found the database wide open within three days. Public read and write access. 1.5 million API tokens. 35,000 email addresses. The AI had set up the database with permissive defaults during development and the founder shipped it because he didn't know what permissive defaults meant. He wasn't being reckless. He was using the tool exactly the way the tool is marketed.

That's the part that stops being buttery deliscious... Like remembering that Love Island are actual people... not just muppets on a screen. These platforms are raising hundreds of millions of dollars and also quietly partnering with security firms to scan the code their own tools generate. The companies building the vibe coding platforms are hiring other companies to find the vulnerabilities that their platforms create. What in the circle-jerk... Got Mag 7 written all over it. If your house builder needed a separate company to come check whether the house would fall down, you would not call that a house builder again. You would HOPE that somewhere BEFORE you build you would figure that out - so you could just not in the first place.

87 percent of Fortune 500 companies have adopted at least one vibe coding platform. 60 percent of all new code is projected to be AI generated by the end of this year. The EU AI Act kicks in August 2026 with penalties up to 35 million euros. And the platforms that generated the code are not the ones who will pay the fines. The people who pressed send without reading are. My friend included.

I'm still watching. The popcorn is still buttered. But the show stopped being funny somewhere around episode three when I realized the dumpster fire is also the building I live in. We all live in it. Every app on your phone that launched in the last year probably has vibe coded components. Every startup that raised a seed round on a demo built in a weekend is running on architecture that no human has ever reviewed. The fire is entertaining until you smell smoke in your own hallway.

My friend texted me this morning. His app is working again. For now. He's adding a payments feature next. I told him to hire a developer. He said maybe after he has MRR.

I'll keep the popcorn handy.