A Vibe-Coding Platform With a Million Users Just Got Zero-Click Hacked

Hooded hacker reaching through code on laptop screen with red and blue lighting

A BBC investigation has exposed a significant — and still unfixed — security vulnerability in Orchids, one of the most popular "vibe-coding" platforms on the market. The flaw allows a hacker to gain full access to a user's computer without the user doing anything at all. No clicking a link. No downloading a file. Just using the platform as intended.

Orchids claims over a million users and says its platform is used by employees at Google, Uber, and Amazon. It's rated as one of the best tools for certain vibe-coding tasks by App Bench and other analysts. And it has a security hole you could drive a truck through.

The Hack

The vulnerability was demonstrated to the BBC by cybersecurity researcher Etizaz Mohsin, a 32-year-old Pakistani researcher based in the UK with a track record that includes work on the infamous Pegasus spyware.

Here's what happened: a BBC reporter downloaded the Orchids desktop app and started a vibe-coding project — asking the AI to help build a simple computer game. The AI began compiling thousands of lines of code automatically. So far, standard vibe-coding behavior.

Then Mohsin exploited a security weakness to gain access to the reporter's project. He viewed and edited the code, injecting a small line somewhere in the thousands of lines of AI-generated code. Shortly afterward, a notepad file called "Joe is hacked" appeared on the reporter's desktop, and the wallpaper changed to an image of an AI hacker.

The implications are straightforward and terrifying: a malicious actor could install viruses, steal private or financial data, access internet history, or even spy through cameras and microphones. All without the victim doing anything.

Zero-Click, Maximum Damage

Most hacks require some action from the victim — clicking a phishing link, downloading malware, entering credentials on a fake site. This attack required nothing. It's what's known as a zero-click attack, and they're among the most dangerous vulnerabilities in cybersecurity because there's literally nothing the user can do to prevent them.

"The vibe-coding revolution has introduced a fundamental shift in how developers interact with their tools, and this shift has created an entirely new class of security vulnerability that didn't exist before," Mohsin told the BBC. "The whole proposition of having the AI handle things for you comes with big risks."

12 Warnings, No Response

Perhaps the most damning detail in the story isn't the vulnerability itself — it's how Orchids responded to it. Or rather, didn't.

Mohsin discovered the flaw while experimenting with vibe-coding in December 2025. He spent weeks trying to contact Orchids through email, LinkedIn, and Discord, sending around a dozen messages. The company didn't respond until this week — after the BBC got involved — saying they "possibly missed" his warnings because the team is "overwhelmed with inbound" messages.

"Overwhelmed with inbound" is a wild response to a zero-click vulnerability disclosure. It's essentially saying: we were too busy being popular to notice someone telling us our platform is a security catastrophe.

The Bigger Problem

Orchids isn't an isolated case. It's a symptom of a much larger issue with the vibe-coding movement. These platforms are built on a core promise: you don't need to understand code. Just describe what you want, and the AI handles it. That's great for accessibility and speed. It's terrible for security.

When users can't read the code being generated on their behalf, they can't spot malicious injections. When the AI has deep access to your computer to execute that code, the attack surface is enormous. And when the companies building these tools are moving fast to capture market share, security reviews often come last — if they come at all.

The vibe-coding revolution is real and probably irreversible. But this BBC investigation is a stark reminder that convenience and security are often in direct tension, and right now, convenience is winning by a landslide.

What Users Should Do

If you're using Orchids or similar vibe-coding platforms, the honest advice is uncomfortable: there's not much you can do about a zero-click vulnerability except stop using the platform until it's fixed. For other vibe-coding tools, consider running them in sandboxed environments or virtual machines, limit the permissions you grant to AI coding assistants, and be skeptical of any platform that hasn't undergone independent security audits.

The age of AI-written code is here. The age of AI-written security apparently isn't.