Auto Amazon Links: No products found. Blocked by captcha.
The BBC has uncovered a serious and still unresolved cybersecurity vulnerability in Orchids, a widely used AI-powered coding platform. Orchids, described as a “vibe-coding” tool, allows users without programming experience to create applications and games by simply entering text prompts into a chatbot. This type of AI platform has gained notable traction recently, celebrated as a way to complete professional tasks efficiently and economically through artificial intelligence.
However, the nature of Orchids presents significant security concerns. Cybersecurity expert Etizaz Mohsin demonstrated how easily the platform can be exploited. Mohsin installed the Orchids desktop application on a spare device, initiating a coding project that the AI assistant helped assemble. By leveraging an undisclosed security weakness, Mohsin was able to access and modify the project’s code without the user’s awareness. This manipulation paved the way for unauthorized control over the computer itself, as evidenced when a file titled “Joe is hacked” appeared on the desktop and the wallpaper was changed to imagery of a robotic skull, signaling the compromise.
Such a breach carries alarming implications for users of Orchids’ tens of thousands of projects. A malicious actor could install malware stealthily, steal sensitive personal or corporate data, or even spy through microphones and webcams. Unlike typical hacks, this attack required no user interaction, classifying it as a zero-click intrusion. Mohsin commented on the wider impact of this new class of threats, stating, “The vibe-coding revolution has introduced a fundamental shift in how developers interact with their tools, and this shift has created an entirely new class of security vulnerability that didn’t exist before. The whole proposition of having the AI handle things for you comes with big risks.”
Mohsin, an experienced researcher originally from Pakistan and now based in the UK, has previously uncovered critical software flaws, including issues in the notorious Pegasus spyware. After identifying this problem with Orchids in late 2025, he attempted to alert the company multiple times through various channels without satisfactory response. The company, based in San Francisco and founded in 2025 with fewer than ten employees, only recently acknowledged the warnings, attributing their delayed reply to being overwhelmed by messages.
Experts regard Mohsin’s findings as a cautionary tale for the broader AI agent ecosystem. While Mohsin has not detected similar vulnerabilities in other “vibe-coding” platforms such as Claude Code, Cursor, Windsurf, and Lovable, cybersecurity specialists warn about the general risks tied to AI tools that operate autonomously on users’ devices. Kevin Curran, a cybersecurity professor at Ulster University, highlights that such code often lacks the necessary discipline and review, making it susceptible to attacks. Karolis Arbaciauskas, head of product at NordPass, advises users to exercise caution by restricting AI tools to dedicated, isolated machines and utilizing disposable accounts for testing purposes, emphasizing that unfettered AI access can seriously compromise security
Read the full article from The BBC here: Read More
Auto Amazon Links: No products found. Blocked by captcha.