By ByteBot
Vibe coding—generating code through natural language prompts without reviewing what the AI writes—was named Collins Dictionary’s Word of the Year 2025. What started as a February tweet from Andrej Karpathy now drives a quarter of Y Combinator’s latest startup batch. While developers celebrate productivity gains, they’re ignoring a security crisis: 45% of AI-generated code contains vulnerabilities.
What Is Vibe Coding?
Andrej Karpathy, OpenAI co-founder and former Tesla AI leader, coined the term in February 2025 with a viral tweet that got 4 million views. His definition: “fully give in to the vibes, embrace exponentials, and forget that the code even exists.”
Here’s his process: Use Cursor Composer with Claude Sonnet, barely touch the keyboard, hit “Accept All” without reading diffs, copy-paste error messages with no explanation, and let the code grow beyond your comprehension. Unlike traditional AI-assisted coding where you review suggestions, vibe coding makes AI the primary coder. You’re the orchestrator describing what you want in plain language.
The cultural recognition validates this isn’t a fad. Beyond Collins Dictionary’s Word of the Year, Merriam-Webster added it as a trending term, and tech giants like Google Cloud, IBM, and Cloudflare have explainer pages. This is real.
Real-World Adoption at Scale
In March 2025, Y Combinator revealed 25% of their Winter 2025 batch startups have codebases that are 95% AI-generated. These aren’t non-technical founders—they’re experienced engineers who could write every line manually but choose not to.
YC CEO Garry Tan was blunt: “This is the dominant way to code. And if you are not doing it, you might just be left behind.” The business case is compelling—teams don’t need 50-100 engineers anymore, capital goes longer, and the W25 batch achieved 10% weekly growth, the fastest in YC history.
The numbers support this shift. 92% of US developers now use AI coding tools. GitHub activity surged to 43 million pull requests per month, a 23% year-over-year increase, with annual commits hitting 1 billion. GitHub Copilot boosted developer productivity by up to 55%. The velocity is undeniable.
The Security Crisis Nobody Mentions
Here’s what the hype glosses over: Veracode’s 2025 report found 45% of AI-generated code contains security vulnerabilities. Another study showed 62% contains design flaws. Developers using AI produce ten times more security problems than those who don’t.
In December 2025, researchers disclosed over 30 vulnerabilities in AI-powered IDEs including Cursor, GitHub Copilot, Windsurf, and Roo Code. These enable data exfiltration and remote code execution. Privilege escalation attacks increased 322%, architectural design problems jumped 153%.
The root problem: AI models train on public repositories containing vulnerabilities. They learn both secure and insecure patterns and treat them as equally valid. They don’t understand your application’s risk model. Worse, newer models don’t generate more secure code than predecessors.
Vibe coding amplifies this risk. If you’re not reviewing code, you’re shipping vulnerabilities to production. Java has a 70%+ security failure rate with AI generation. That’s not a productivity win—that’s a breach waiting to happen.
The Developer Role Transformation
Beyond tools, vibe coding signals a shift in what it means to be a developer. The role is evolving from writing code to orchestrating systems. CTOs now prioritize system design over coding ability when hiring. The new currency is systems thinking—understanding how parts work together and designing for long-term performance.
One industry analysis framed it: “A developer’s main job will be that of orchestrator, strategist, and collaborator, with value hinging not on typing speed, but on your ability to solve, design, and inspire.”
The skills that matter in 2026: critical thinking, business strategy, systems architecture, and AI orchestration. If AI eliminates mundane coding, differentiation moves upstream to judgment and communication.
When It Works (and When It Doesn’t)
Karpathy’s original context matters: “not too bad for throwaway weekend projects.” Vibe coding excels at rapid prototyping, MVPs, and personal projects. A New York Times journalist with no coding background built an app analyzing fridge contents for lunch suggestions. That’s the accessibility promise delivered.
But Andrew Ng raised questions about long-term maintenance and scalability. Karpathy hand-coded his next project after the viral tweet—he didn’t vibe code it. Concerns about technical debt and eroding fundamental skills are real.
Production systems requiring long-term maintenance are different from weekend hacks. When your codebase grows beyond comprehension and you’ve never read the diffs, who fixes it when things break? Who patches the security vulnerabilities you never knew existed?
The Verdict
Vibe coding is real, happening at scale, and productivity gains are measurable. Y Combinator’s fastest-growing batch proves the business case. The developer role transformation toward orchestration is underway. But the security crisis is being ignored, and that’s dangerous.
The thoughtful approach: Use vibe coding for prototypes and throwaway projects where security and maintenance aren’t concerns. For production systems, treat AI as an assistant requiring review, not a replacement running unsupervised. If you’re shipping unreviewed AI code to production, you’re not being productive—you’re being reckless.
The future isn’t choosing between human coding and AI coding. It’s knowing when to use which approach, and having the judgment to understand the difference.
