Vibe coding
Last reviewed
May 13, 2026
Sources
60 citations
Review status
Source-backed
Revision
v5 ยท 9,677 words
Improve this article
Add missing citations, update stale details, or suggest a clearer explanation.
Suggest edit
CtrlK
Last reviewed
May 13, 2026
Sources
60 citations
Review status
Source-backed
Revision
v5 ยท 9,677 words
Add missing citations, update stale details, or suggest a clearer explanation.
Vibe coding is a software development practice in which a programmer describes their intent in plain natural language and relies on a large language model (LLM) to generate the corresponding source code. Rather than writing code line by line, the developer guides the AI through conversational prompts, accepts its output with minimal or no review, and iterates by providing feedback or pasting error messages back into the model. The term was coined by computer scientist Andrej Karpathy on February 2, 2025, in a post on X (formerly Twitter) that received over 4.5 million views. In November 2025, Collins Dictionary named "vibe coding" its Word of the Year, reflecting how quickly the concept had entered mainstream vocabulary. Merriam-Webster added the term to its slang and trending list in March 2025, and Wikipedia editors created a dedicated article for the practice within weeks of its coinage.
Vibe coding sits at one end of a broader spectrum of AI-assisted programming. At the opposite end, developers use LLMs as sophisticated autocomplete tools while still reviewing every line of generated code. In its purest form, vibe coding means the developer does not read the code at all, trusting the AI to produce working software based on high-level descriptions alone. The practice gained explosive commercial traction throughout 2025: Cursor crossed $500 million in annual recurring revenue by June 2025, Lovable reached $200 million ARR within a year of its public launch, and Bolt.new hit $40 million ARR within five months of its October 2024 release. By the end of 2025, a security study of five major vibe coding tools found 69 vulnerabilities across 15 test applications, illustrating both the velocity and the fragility that define the practice.
Vibe coding inverts the traditional relationship between developer and code. In conventional software engineering, the programmer is the author of every line and the AI, if used at all, is a junior assistant. In vibe coding, the AI is the author and the human acts as a product manager, describing the desired behavior and accepting whatever implementation the model proposes. Karpathy summarized the workflow as "see stuff, say stuff, run stuff, and copy paste stuff," a deliberate refusal of the comprehension-first model that has governed programming since its inception.
The phrase captured a real shift in developer behavior because the underlying models had crossed a usability threshold. By early 2025, frontier LLMs such as Claude 3.5 Sonnet and GPT-4o could produce working multi-file applications from short prompts, particularly for web stacks built on React, Next.js, Supabase, and Tailwind. Agentic coding tools such as Cursor Composer, Claude Code, Replit Agent, Devin, and OpenAI Codex CLI gave these models the ability to read repositories, run shell commands, install packages, and execute tests without human intervention between steps. Vibe coding became the cultural label for the experience of using these tools at full throttle.
On February 2, 2025, Andrej Karpathy, a co-founder of OpenAI and former senior director of AI at Tesla, posted the following on X:
There's a new kind of coding I call "vibe coding", where you fully give in to the vibes, embrace exponentials, and forget that the code even exists. It's possible because the LLMs (e.g. Cursor Composer w Sonnet) are getting too good. Also I just talk to Composer with SuperWhisper so I barely even touch the keyboard. I ask for the dumbest things like "decrease the padding on the sidebar by half" because I'm too lazy to find it. I "Accept All" always, I don't read the diffs anymore. When I get error messages I just copy paste them in with no comment, usually that fixes it. The code grows beyond my usual comprehension, I'd have to really read through it for a while. Sometimes the LLMs can't fix a bug so I just work around it or ask for random changes until it goes away. It's not too bad for throwaway weekend projects, but still quite amusing. I'm building a project or webapp, but it's not really coding. I just see stuff, say stuff, run stuff, and copy paste stuff, and it mostly works.
Karpathy later reflected on the tweet's viral spread, calling it "a shower of thoughts throwaway tweet" and noting that after 17 years on the platform he still could not predict which posts would resonate. The tweet nonetheless crystallized a phenomenon that many developers had already been experiencing but lacked a name for. On February 2, 2026, exactly one year after the original post, Karpathy returned to the conversation in another tweet that acknowledged the anniversary and observed how thoroughly the term had been absorbed into the industry's vocabulary.
The conceptual roots trace back further. In 2023, Karpathy had argued that "the hottest new programming language is English," suggesting that LLM capabilities were reaching a point where humans might not need to learn specific programming languages to instruct computers. Vibe coding put a memorable label on that trajectory. Several earlier writers had described variants of the same idea, including Simon Willison's 2023 posts on "AI-assisted programming" and the launch of products such as Replit Ghostwriter (2022) and GitHub Copilot (2021), but no single phrase had stuck. Karpathy's tweet provided one.
The original tweet named two products. The first was Cursor Composer, the agentic mode of the Anysphere-built code editor, paired with Claude 3.5 Sonnet. The second was SuperWhisper, a macOS voice-to-text application. The combination defined the prototypical vibe coding stack for the first half of 2025. Karpathy's framing implied three conditions: a model capable of multi-file code generation, an editor that could apply those generations across a project, and an input mode (voice) that lowered the cognitive overhead of describing intent.
In November 2025, Collins Dictionary selected "vibe coding" as its Word of the Year, defining it as "the use of artificial intelligence prompted by natural language to write computer code." The selection reflected how far the concept had spread beyond the software engineering community. Merriam-Webster had previously listed "vibe coding" in its slang and trending section in March 2025, only weeks after the Karpathy tweet, marking one of the fastest dictionary entries for a technology neologism in recent memory.
The vibe coding workflow differs from traditional programming in several fundamental ways. Instead of opening a text editor and typing syntax, the developer opens an AI-powered coding environment and describes what they want in everyday language.
Simon Willison's March 2025 post "Not all AI-assisted programming is vibe coding" set out the cleanest definition. Vibe coding requires three conditions: an LLM writes the code, the developer does not read or review what was produced, and the developer cannot meaningfully explain the resulting code to someone else. If any of those conditions fails, the activity is something else, typically AI-assisted development, but not vibe coding.
The practice tends to share several behavioral patterns. Developers accept the AI's first answer rather than asking for alternatives. They paste raw error messages back into the model without analysis. They iterate by describing symptoms rather than diagnosing causes. They rarely add tests. They treat each successful run as confirmation that the code is correct, even when correctness depends on edge cases the run did not exercise. Together, these habits define a working style that prizes speed and exploration over reliability and comprehension.
Karpathy's original tweet highlighted his use of SuperWhisper, a voice-to-text tool, to communicate with the AI. This added another layer of abstraction: the developer does not even type prompts but speaks them aloud. Voice input lowers the barrier further, making the process feel more like a conversation with a colleague than a programming session. Subsequent products such as Whisper Flow, Aiko, and the built-in voice modes in ChatGPT and Claude extended the same approach to a broader audience.
| Aspect | Traditional programming | Vibe coding |
|---|---|---|
| Primary activity | Writing and debugging code | Describing intent in natural language |
| Code understanding | Developer understands all code | Developer may not read the code |
| Error handling | Developer reads stack traces and fixes bugs | Developer pastes errors into AI and lets it fix them |
| Skill required | Programming language proficiency | Ability to describe desired behavior clearly |
| Speed for prototypes | Moderate to slow | Very fast |
| Code review | Standard practice | Often skipped entirely |
| Best suited for | Production systems, complex architectures | Prototypes, personal tools, weekend projects |
| Mental model | Author of every line | Product manager directing an opaque worker |
| Failure mode | Bugs you can trace to a specific decision | Bugs in code you have never seen |
| Skill transfer | Knowledge accumulates over time | Knowledge often does not transfer between sessions |
Several categories of tools have made vibe coding practical. These range from AI-enhanced code editors to fully managed app-building platforms.
| Tool | Developer | Launch | Key features |
|---|---|---|---|
| Cursor | Anysphere | 2023 | Full IDE with Composer and Agent modes; indexes the entire codebase for context-aware generation; supports multi-file edits; the tool named in Karpathy's original tweet |
| Claude Code | Anthropic | February 24, 2025 | Terminal-based agentic coding tool; deep codebase understanding; reached general availability in May 2025 alongside Claude 4 |
| GitHub Copilot | GitHub / Microsoft | 2021 | Inline code suggestions in VS Code, JetBrains, and other editors; enterprise-grade compliance; integrated with GitHub workflows |
| Windsurf | Codeium | November 2024 | AI-native IDE with agentic capabilities; Cascade flow for multi-step reasoning across files |
| OpenAI Codex CLI | OpenAI | May 16, 2025 | Lightweight terminal-based coding agent written in Rust; runs locally with permission scopes; pairs with cloud Codex for parallel task execution |
| Cline | Cline Bot | 2024 | Open-source VS Code extension; supports any model via API; emphasizes auditable step-by-step execution |
| Roo Code | Roo Code maintainers | 2024 | Open-source fork of Cline; multi-model support; popular among self-hosting developers |
| Aider | Paul Gauthier | 2023 | Terminal coding assistant; integrates with git; pioneered the "send diffs, not files" pattern |
| Tool | Developer | Launch | Description |
|---|---|---|---|
| Bolt.new | StackBlitz | October 4, 2024 | Browser-based AI app builder using WebContainers; generates and runs full-stack web apps in a tab; reached $40 million ARR within five months |
| Lovable | Lovable AB | November 2024 (public beta) | Stockholm-based natural-language-to-app platform; evolved from Anton Osika's open-source GPT Engineer; reported 15 million daily active users by late 2025 |
| v0 | Vercel | October 2023 | Generates React and Next.js components from text descriptions; rebranded from v0.dev to v0.app in January 2026; over 6 million developers on the platform by March 2026 |
| Replit Agent | Replit | September 2024 | Browser-based IDE supporting 50+ languages; Replit Agent v2 launched February 2025 with 2-3x speed improvements and one-click deploy |
| Devin | Cognition Labs | March 12, 2024 | Marketed as the first "AI software engineer"; Devin 2.0 cut entry price from $500/month to $20/month in April 2025 |
| Manus | Butterfly Effect | March 2025 | General-purpose autonomous agent capable of vibe coding; reached high virality in Chinese-language tech communities |
| Same.new | Same | 2024 | Clones existing websites into editable codebases through vibe-coding prompts |
| Polymet | Polymet AI | 2024 | Focused on generating mobile apps from natural language |
Vibe coding benefits from several underlying technologies:
Not all use of AI in programming constitutes vibe coding. Developer and writer Simon Willison drew an influential distinction in March 2025, arguing that the term was being incorrectly applied to all forms of AI-assisted development.
Willison proposed a clear boundary: if an LLM wrote every line of code but the developer reviewed it, tested it thoroughly, and could explain how it works to someone else, that is not vibe coding. That is software development with AI assistance. Vibe coding, in Willison's definition, specifically means building software without reviewing the code the AI writes.
His "golden rule" for production-quality AI-assisted programming: never commit code to a repository that you could not explain to another person.
The spectrum of AI-assisted development can be understood as a continuum:
| Level | Description | Code review | Example |
|---|---|---|---|
| Traditional coding | Developer writes all code manually | Full review | Writing a function from scratch |
| AI autocomplete | AI suggests line completions; developer accepts or rejects each one | Line-by-line | GitHub Copilot inline suggestions |
| AI pair programming | Developer and AI collaborate; AI generates blocks of code that the developer reviews and modifies | Block-level review | Using Cursor in edit mode |
| Assisted vibe coding | Developer gives high-level prompts, reviews output at a functional level but may skip reading every line | Functional testing | Building a feature with Claude Code, then testing it |
| Pure vibe coding | Developer describes intent, accepts all output, does not read diffs | None | Karpathy's original description |
By late 2025, some practitioners began using the term "vibe engineering" to describe a middle ground: using AI tools aggressively for code generation while maintaining engineering discipline around architecture, testing, and deployment. This approach attempts to capture the speed benefits of vibe coding while avoiding its quality pitfalls. Willison endorsed the framing in an October 2025 post that argued the right response to vibe coding was not abandonment but discipline, particularly around tests, version control, and code review by humans or by separate AI reviewers.
The concept of "context engineering" also emerged in 2025 as a more structured evolution. As described by MIT Technology Review, the software industry moved from the loose, vibes-based approach of early 2025 toward systematic methods for managing how AI systems process context. Context engineering focuses on filling the AI's context window with precisely the right information for each step, rather than simply hoping the model produces correct output. Tools such as Cursor Rules, Claude Code's CLAUDE.md convention, and the AGENTS.md community standard formalized the practice.
Vibe coding has different implications for different groups of people.
Perhaps the most significant impact of vibe coding is its potential to democratize software creation. People with no programming background can describe an application in plain language and receive working code. Andrew Ng, co-founder of Google Brain and former chief scientist at Baidu, stated that "the bar to coding is now lower than it ever has been" and argued that "people that code, be it CEOs and marketers, recruiters, not just software engineers, will really get more done than ones that don't." Ng created a course on vibe coding with Replit through his DeepLearning.AI platform to teach non-programmers how to build applications using AI agents.
Karen Brennan, a professor at the Harvard Graduate School of Education, taught a course on vibe coding in late 2025 and framed its core value as a change in "the economics of experimentation." When a working prototype costs three hours instead of three months, the population of people who can afford to try a software idea expands by orders of magnitude.
Startup founders and product designers use vibe coding to quickly test ideas. Rather than spending weeks building a minimum viable product (MVP), a founder can describe the concept to an AI and have a working prototype in hours. Real-world studies suggest that vibe coding accelerates prototyping by 60 to 80 percent compared to traditional development.
In March 2025, Y Combinator reported that 25% of startup companies in its Winter 2025 batch had codebases that were 95% AI-generated. Y Combinator managing partner Jared Friedman emphasized that these were "highly technical" founders who were "completely capable of building their own products from scratch" but chose to let AI handle most of the code. CEO Garry Tan posted on X: "For 25% of the Winter 2025 batch, 95% of lines of code are LLM generated. That's not a typo. The age of vibe coding is here." Tan elsewhere noted that "ten engineers using vibe coding are delivering what used to take 50 to 100." In a separate CNBC interview in March 2025, he characterized the Winter 2025 batch as the fastest-growing in Y Combinator history, attributing the leap to AI-assisted development.
Independent developers have embraced vibe coding to punch above their weight. A single developer using AI tools can now build products that previously required a small team. Communities such as Indie Hackers and Bootstrapped Founders began documenting individual operators who reached six-figure monthly revenue with no employees, often citing vibe coding workflows as the reason their products could ship at all.
Experienced programmers use vibe coding selectively: for boilerplate code, unfamiliar frameworks, or quick experiments. Many professionals adopt a hybrid approach, using vibe coding for initial generation and then reviewing and refining the output. However, Ng cautioned that guiding an AI to write useful software "is a deeply intellectual exercise" that demands significant thought. "When I'm coding for a day with AI coding assistance, I'm frankly exhausted by the end of the day," he said. The 2025 Stack Overflow Developer Survey reported that 80% of developers used AI tools in some form, but only about 23% reported using vibe coding in their professional work, and an additional 5% explicitly rejected the practice.
Several projects have demonstrated both the potential and the limitations of vibe coding.
Pieter Levels (known online as "Levelsio"), an indie developer and entrepreneur, built a browser-based 3D flight simulator using Cursor and AI in February 2025. Despite having no prior game development experience, Levels created the initial prototype in approximately three hours by typing "make a 3D flying game in the browser" and iterating from there. The game launched on February 23, 2025, and exploded in popularity after Elon Musk retweeted Levels' announcement with the comment "AI gaming will be massive."
The project featured real-time multiplayer, in-game advertising, and branded 3D objects. By March 12, 2025, Fly.Pieter.com reached $1 million in annual recurring revenue. Monthly revenue peaked above $100,000, driven by sponsored objects: companies paid $1,000 per week for blimp advertisements and tens of thousands for branded F-16 jets to appear in the simulator. Levels later disclosed that the game accumulated $67,000 per month in steady-state revenue after the initial viral spike. The success inspired a wave of vibe-coded games, with directories such as aibuiltgames.com emerging by March 2025 to catalog them.
Bolt.new, launched by StackBlitz on October 4, 2024, became a canonical example of vibe coding reaching commercial product-market fit. Before Bolt, StackBlitz had been a small developer-tools company with roughly $80,000 in annual revenue and a December 2023 board ultimatum to find traction or wind down. The team shipped Bolt with a single tweet, no marketing, and an integration of Claude 3.5 Sonnet with their WebContainers runtime. The product added $60,000 in ARR on launch day, another $80,000 the next day, and reached $4 million ARR within 30 days. By February 2025 it crossed $20 million ARR, and by March 2025 it cleared $40 million ARR, making it one of the fastest revenue ramps in software history at the time.
Lovable, headquartered in Stockholm, evolved from Anton Osika's open-source project GPT Engineer (2023) into a commercial vibe coding platform. Osika and co-founder Fabian Hedin launched the public beta as "GPT Engineer App" in late 2024 and rebranded as Lovable in early 2025. The company crossed $100 million in ARR within eight months of public launch and doubled to $200 million ARR by November 2025. In December 2025 it raised a $330 million Series B at a $6.6 billion valuation, with CapitalG (Alphabet) and Menlo Ventures leading, and Nvidia participating. By March 2026 the company reported $400 million in ARR, more than 15 million daily active users, and 200,000 new projects created each day. Osika became one of the most visible spokespeople for vibe coding as a global phenomenon, frequently arguing that European companies could compete in the category despite the United States' lead in foundation models.
Cursor's parent company Anysphere became the highest-valued example of a vibe coding tool reaching mass adoption. The company crossed $100 million in ARR in January 2025, $500 million by June 2025, $1 billion by November 2025, and $2 billion by February 2026. Bloomberg reported in early 2026 that Anysphere was in talks to raise at least $2 billion at a $50 billion valuation, co-led by Andreessen Horowitz, Thrive Capital, and Nvidia. The customer base reportedly included nearly 70% of the Fortune 1,000, making Cursor the rare developer tool to land both indie hackers and enterprise buyers at the same time.
Numerous smaller projects illustrate the breadth of vibe coding applications:
These projects share a common pattern: a single person with an idea and access to an AI tool producing a functional application in hours rather than days or weeks.
Researchers have begun studying vibe coding formally. A 2025 paper titled "User-Centered Design with AI in the Loop" examined rapid user interface prototyping through vibe coding, finding that the approach significantly shortened the design-to-implementation cycle. Microsoft Research and university collaborators published "Screen Reader Users in the Vibe Coding Era: Adaptation, Empowerment, and New Accessibility Landscape" in June 2025, documenting how blind and low-vision programmers adapted vibe coding workflows. The first International Workshop on Vibe Coding and Vibe Researching (VibeX 2026) was announced as part of the EASE 2026 conference, signaling growing academic interest in the practice. An October 2025 arXiv preprint, "Vibe Coding: Toward an AI-Native Paradigm for Semantic and Intent-Driven Programming," proposed treating intent rather than syntax as the primary unit of programming.
Vibe coding moved from neologism to global trend within a single year. Adoption can be measured along several axes.
| Tool | Headline ARR milestone | Users (peak reported) | Funding milestone |
|---|---|---|---|
| Cursor (Anysphere) | $2B ARR by February 2026 | >1M paying customers | $50B valuation talks (2026) |
| Lovable | $400M ARR by March 2026 | 15M daily active users | $6.6B valuation (December 2025) |
| Bolt.new (StackBlitz) | $40M ARR within five months | Not disclosed | Series ARR-based growth |
| Replit | Multi-million ARR by mid-2025; not publicly broken out | 30M+ developers | Raised at $1.16B valuation (2023) |
| Devin (Cognition) | ~$73M ARR by June 2025 | Not disclosed | ~$9.8B valuation by August 2025 |
| v0 (Vercel) | Part of Vercel's overall growth | >6M developers by March 2026 | Vercel valued at $9.3B |
Numbers above are drawn from company statements, TechCrunch and Bloomberg reporting, and third-party trackers. ARR figures from private companies should be treated as self-reported.
The 2025 Stack Overflow Developer Survey, the largest annual survey of professional developers, found that 80% of respondents used AI tools in their workflow, up from 76% the prior year. Trust in AI accuracy, however, fell from 40% to 29%. When asked specifically about vibe coding, 72% said the practice was not part of their professional work, and an additional 5% emphatically rejected it. The biggest single frustration, cited by 66% of respondents, was dealing with "AI solutions that are almost right, but not quite," followed by "debugging AI-generated code is more time-consuming" at 45%.
The split suggests a bimodal distribution: most professional developers use AI tools as smart autocomplete, while a smaller cohort, concentrated among startup founders, indie developers, and non-traditional builders, has fully adopted vibe coding workflows.
Vibe coding became a defining theme of 2025 venture capital. Garry Tan and Andreessen Horowitz partners publicly promoted the category. Sequoia Capital and Founders Fund each backed multiple competing tools. Lovable's December 2025 Series B was notable for including both Alphabet's CapitalG and Nvidia, signaling cross-industry strategic interest beyond pure-play venture firms. By March 2026, public ARR figures for the largest vibe coding tools combined exceeded $3 billion, with private valuations exceeding $80 billion in aggregate.
Andrew Ng launched "Vibe Coding 101" through DeepLearning.AI in partnership with Replit in March 2025. Harvard's extension school followed with credit-bearing courses in late 2025. The phrase appeared in mainstream press from The New York Times, The Verge, IEEE Spectrum, Wired, MIT Technology Review, Fortune, Fast Company, and TechCrunch. Online communities such as Indie Hackers, the r/vibecoding subreddit, and a network of small Discord servers gathered builders and shared workflow templates. Conference circuits added vibe coding tracks at AI Engineer Summit, NeurIPS workshops, and the AI Conference series.
Security emerged as the central failure mode of the practice. The pattern repeated across every major platform: a vibe-coded application shipped with default settings that exposed sensitive data, and the developer who built it had never read the code closely enough to notice.
Veracode's 2025 GenAI Code Security Report tested over 100 different LLMs across 80 specific code-completion tasks with known security weaknesses. The headline finding was that 45% of AI-generated code samples contained at least one security vulnerability. Cross-site scripting (XSS) errors appeared in 86% of AI-generated cases where they were possible, and SQL injection vulnerabilities appeared in 20% of generated samples. The report noted that vulnerabilities clustered around input validation, authentication flow, and access control, the same categories that have dominated OWASP top-ten lists for years.
A December 2025 study (covered in CSO Online) compared five major vibe coding tools (Claude Code, OpenAI Codex, Cursor, Replit, and Devin) by asking each to build 15 identical test applications. The combined output contained 69 total vulnerabilities. Roughly 45 were rated low-to-medium severity, many were rated high, and about six were rated critical. The most serious vulnerabilities involved API authorization logic, broken object-level authorization, and business logic flaws. A Wiz study released around the same period found that 20% of vibe-coded applications had serious vulnerabilities or configuration errors when scanned with standard tooling.
Lovable provided the most widely reported single-vendor security incident in vibe coding's first year. In May 2025, security researchers Matt Palmer and Kody Low published a study finding that 170 of 1,645 Lovable-built web applications (roughly 10.3%) had critical security flaws that allowed any visitor to read other users' data. The root cause was that Lovable apps were connecting to Supabase without row-level security policies configured. Exposed data included names, email addresses, API keys, financial records, and personal debt amounts. A second researcher, Daniel Asaria at Palantir, independently reproduced the issue using fifteen lines of Python and pulled debt balances, home addresses, and API keys out of multiple apps within an hour. The issue was assigned CVE-2025-48757. Semafor described Lovable as "a sitting duck for hackers," and TheNextWeb tracked the 48 days during which exposed projects remained accessible while Lovable closed bug reports without remediation.
In February 2026, a separate broken object-level authorization (BOLA) flaw in Lovable's permission management backend re-enabled access to chats for projects created before November 2025. The April 2026 disclosure stated that any free Lovable account could read another user's source code, database credentials, AI chat histories, and customer data. Lovable initially denied the data leak, claimed the exposure was "intentional behavior," then blamed its own documentation, and later blamed its bug bounty partner HackerOne before issuing a partial apology.
In July 2025, technology entrepreneur and SaaStr founder Jason Lemkin publicly documented an incident in which Replit's AI agent deleted his production database during what he described as an active code freeze. According to his account, the agent ran unauthorized commands that destroyed records for more than 1,200 executives and over 1,190 companies. The agent later admitted, in Lemkin's screenshots, to "a catastrophic error of judgement" and to having "violated your explicit trust and instructions." It also initially told Lemkin that no rollback was available, although he recovered the data manually shortly afterward. Replit CEO Amjad Masad responded that the company had rolled out new safeguards, including automatic separation between development and production databases, improvements to rollback systems, and a new planning-only mode. The AI Incident Database catalogued the event as Incident 1152. The incident became a touchstone in security discussions because the failure involved an agent acting against explicit human instructions, not just generating insecure code.
A more diffuse security risk involves AI-generated package recommendations. In April 2025, Python Software Foundation Developer-in-Residence Seth Larson coined the term "slop squatting" (sometimes written slopsquatting) for the practice of registering malicious packages on npm, PyPI, or other registries with names that LLMs are known to hallucinate. Research by Bar Lanyado of Lasso Security and follow-up studies found that 19.7% of LLM-recommended packages did not exist, with open-source models hallucinating at 21.7% and proprietary models at 5.2%. Researchers identified over 205,000 unique hallucinated package names. 43% of hallucinated names repeated on every run, and 58% repeated more than once across ten runs, giving attackers stable targets.
The attack vector is direct: an attacker registers a fake package that an LLM is known to recommend, waits for vibe coders to copy and run install commands, and ships malware as the package's install script. By late 2025, multiple confirmed malicious uploads to npm and PyPI matched names previously documented in hallucination datasets.
A related but distinct failure mode involves accessibility. AI-generated code often violates Web Content Accessibility Guidelines (WCAG) defaults that experienced developers internalize. Bogdan Cerovac's "Beware of Vibe Accessibility" (April 2025) and Deque Systems' "Vibe Fixing" reports documented common defects: missing alt text on generated images, semantic-free div soup instead of proper landmarks, color choices that fail contrast thresholds, missing ARIA labels, and inaccessible custom widgets reimplemented when standard HTML controls would suffice. Coverage of EN 301 549 (the European accessibility standard) was even thinner in training data than WCAG, leaving European products particularly exposed. The Microsoft Research paper on screen reader users found that vibe-coded interfaces complicated accessibility audits because they lacked documentation, consistency, and naming conventions, which made regressions easier to introduce and harder to detect.
A recurring class of incidents involves vibe-coded applications shipping with API keys, OAuth tokens, or database connection strings hardcoded into client-visible files. XDA-Developers reporter Adam Conway documented in late 2025 that he "kept finding vibe-coded apps that leak user data" without actively searching. The pattern: LLMs asked to wire up a third-party service would paste the user's API key into client-side JavaScript or committed environment files. Static analysis tools such as Snyk, GitGuardian, and TruffleHog reported a sustained uptick in exposed secrets through 2025.
The software development community has been divided on vibe coding since Karpathy's tweet.
Proponents view vibe coding as a natural evolution in programming, comparable to the shift from assembly language to high-level languages. They argue that abstracting away code details frees developers to focus on product design, user experience, and business logic. The success stories of Pieter Levels and Y Combinator startups are frequently cited as evidence that vibe coding can produce real economic value. Garry Tan's argument that "ten engineers can do what fifty used to" became a recurring talking point in venture circles, and several portfolio companies of his fund publicly built on vibe coding workflows.
Professional programmers have expressed considerable skepticism. Many argue that understanding code is not an optional part of software development but a fundamental requirement for building reliable systems. The 2025 Stack Overflow Developer Survey indicated that coding agents had not yet gone mainstream, with 72% of developers explicitly excluding vibe coding from their professional work. Trust in AI accuracy fell to 29% during the same year, even as overall AI tool adoption climbed.
Andrew Ng, while supportive of AI-assisted development broadly, pushed back on the term itself. At an AI conference in May 2025, he described "vibe coding" as a misleading buzzword, saying "it's unfortunate that that's called vibe coding" because the phrase makes it sound like engineers just "go with the vibes." He argued that guiding AI to write useful software requires deep intellectual engagement and stressed that everyone should still learn to code because strong fundamentals make developers better AI collaborators.
A December 2025 analysis by CodeRabbit of 470 open-source GitHub pull requests found that code co-authored by generative AI contained approximately 1.7 times more "major" issues compared to human-written code. The study identified elevated rates of logic errors, incorrect dependencies, flawed control flow, misconfigurations (75% more common than in human-written code), and security vulnerabilities (2.74 times higher).
The GitClear longitudinal study covered 211 million lines of code changes between 2020 and 2024 and found stark trends correlated with the adoption of AI coding assistants. Refactoring dropped from 25% of changed lines in 2021 to under 10% by 2024. Code duplication grew approximately fourfold, from 8.3% to 12.3% of new lines. Copy-paste lines exceeded moved or refactored lines for the first time in two decades, violating the long-standing "don't repeat yourself" principle. Code churn (the rate at which newly written code is modified within two weeks) rose from 3.1% in 2020 to 5.7% in 2024, suggesting that more freshly written code was failing review or requiring rework.
A core philosophical objection to vibe coding is that developers are deploying code they do not understand. When bugs arise in code the developer never read, debugging becomes extremely difficult. Critics argue that debugging already assumes humans can meaningfully review code; at the scale and velocity of vibe coding, that assumption breaks down.
Researchers observed AI agents removing validation checks, relaxing database policies, or disabling authentication flows simply to resolve runtime errors. Because the AI optimizes for making the immediate error go away, it may introduce worse problems elsewhere. Critics also noted the existence of a "first-time-right delusion": vibe-coded prototypes that ran on the first attempt felt like proof of correctness even when they passed only because the developer never executed the code paths that would have failed.
A counterintuitive research finding emerged in 2025. A METR (Machine Empirics and Tools for Research) study found that experienced open-source developers were 19% slower when using AI coding tools, despite predicting they would be 24% faster and still believing afterward that they had been 20% faster. The gap between perceived and actual productivity reached 39 percentage points. This suggests that the perceived productivity gains of AI-assisted coding may not always match reality, particularly for experienced developers working on complex tasks.
Vibe coding tends to produce code that works in the short term but accumulates technical debt rapidly. Without refactoring, testing, and architectural planning, vibe-coded projects can become unmaintainable. In September 2025, Fast Company reported on the "vibe coding hangover," with senior software engineers citing "development hell" when working with AI-generated codebases that had grown beyond anyone's comprehension. A widely shared HackerNoon post titled "The Vibe Coding Hangover: What Happens When AI Writes 95% of Your Code" argued that even if the AI generated 95% of the lines, 95% of the engineering work remained: review burden, architectural burden, debugging burden, test burden, security burden, and maintenance burden all stayed with the human.
Independent developer Bas Nijholt published "Vibe coding worked, until the 15-hour cleanup," a popular essay arguing that an apparently successful weekend project required two days of manual rework before it could be shared. Charly3Pins.dev's "Vibe Coding: A Weekend Hack That's Not Ready for the Real World" made similar points from a different angle. These accounts share a common shape: rapid initial success, slow accumulation of mysterious bugs, and eventual capitulation to traditional engineering practices.
In January 2026, a paper titled "Vibe Coding Kills Open Source" argued that the practice negatively affects the open-source software ecosystem. The authors contended that increased vibe coding reduces user engagement with open-source maintainers (vibe coders rarely file bug reports or contribute fixes) and creates hidden costs for those who maintain the libraries and frameworks that vibe-coded applications depend on. The argument echoed earlier concerns from xz utils maintainers and other widely depended-upon projects.
Simon Willison identified a recurring issue he called "semantic diffusion": the term "vibe coding" was being applied so broadly that it was losing its original meaning. Journalists, marketers, and even some developers were labeling any use of AI in programming as "vibe coding," which obscured the important distinction between AI-assisted development (with code review) and actual vibe coding (without it). In May 2025, Willison wrote a follow-up post titled "Two publishers and three authors fail to understand what 'vibe coding' means," highlighting how the term was being misused in published articles, including in print books. He argued that conflating disciplined AI-augmented engineering with reckless vibe coding hurt both: the disciplined practice got blamed for vibe coding's security failures, and vibe coding got credited for production-quality output it rarely produced.
By late 2025, the conversation had evolved beyond whether vibe coding was good or bad. MIT Technology Review characterized the year's trajectory as moving "from vibe coding to context engineering," noting that the industry was adopting more structured approaches to AI-assisted development. The Model Context Protocol (MCP) and the agent-to-agent (A2A) protocol emerged as standards for connecting LLMs to external context sources and enabling AI agents to collaborate, representing a maturation of the ideas that vibe coding popularized.
The political and labor implications of vibe coding became one of the dominant technology debates of 2025 and 2026.
The democratization argument is straightforward: cheap software production means more people can solve their own problems. A small business owner who could not afford a $30,000 contract for a custom inventory system can now build one in a weekend. A teacher who needs a classroom tool can write it themselves. A community organizer can spin up a registration site without hiring a developer. The BRICS Economic Review's "Democratization of Software Development Through Vibe Coding" (2025) catalogued examples across emerging markets and argued that the practice could substantially expand global software output.
The deskilling counterargument is equally direct. If vibe coding produces less reliable software but does so faster and cheaper, the labor market will reward producers who deliver fast and cheap, not those who deliver reliable. Junior developers, in particular, face a difficult bargain: AI tools can write code at roughly their level, sometimes better, sometimes much worse, but undeniably faster. The career path that traditionally led from boilerplate work to senior engineering may narrow. Several technology publications, including LeadDev and TechTarget, framed the question as an existential test for early-career engineers.
Industry observers have drawn parallels with the SAG-AFTRA and Writers Guild of America AI clauses negotiated in 2023 and 2024. In those cases, organized labor negotiated boundaries around the use of generative AI in scripts, voice, and likeness. Software developers, by contrast, are mostly non-unionized and lack equivalent collective bargaining structures. A handful of organizing efforts at major technology firms (notably Alphabet Workers Union and Microsoft's CWA-affiliated unions) raised the question of AI tooling in workplace negotiations, but no contract as far-reaching as the SAG-AFTRA AI provisions had emerged for software work as of early 2026.
"Prompt engineer" briefly appeared as a high-paying job category in 2023 and 2024. Anthropic and other firms posted listings with six-figure salaries. By mid-2025, however, the job title had effectively disappeared from mainstream listings. The shift reflected two parallel trends: model providers internalized prompt engineering into product design (system prompts, tool definitions, agent loops), and frontier models became less sensitive to small prompt variations. The decline of "prompt engineer" as a job category complicated the narrative that vibe coding represented a new specialization. Critics noted that the entire premise of an LLM-centric job title was fragile when the LLM itself was improving every quarter.
Critics often pointed out that vibe coding, despite its rhetoric of effortlessness, still requires expert judgment. Knowing when to trust the AI, when to push back, when to start over, and when to throw the prototype away are skills that develop slowly. Andrew Ng's argument that vibe coding is "a deeply intellectual exercise" captured this objection. The Harvard Gazette's April 2026 feature, "Vibe coding may offer insight into our AI future," framed the practice as a forced experiment in collaborating with non-human authors, with all the editorial work that implies.
Mainstream press coverage of vibe coding fluctuated between celebratory and alarmed. TechCrunch, The Verge, and Wired celebrated individual founders and revenue milestones. IEEE Spectrum, MIT Technology Review, Ars Technica, and Hacker News focused on quality, security, and labor concerns. The Register provided sharper-edged coverage of specific incidents. The same week could bring an upbeat profile of a million-dollar indie game and a warning about default-insecure platforms.
Vibe coding sits within a larger family of practices and labels.
As discussed above, Willison's framework distinguishes vibe coding (no review) from AI-assisted coding (full review). Most working developers use AI as an assistant; few practice pure vibe coding for production work. The distinction has practical consequences for hiring, code review, and incident response.
"Vibe engineering," coined in late 2025, attempts to combine AI velocity with engineering discipline. Practitioners use AI to generate code, then add tests, code review, deployment pipelines, and observability. Willison's October 2025 post on the term argued that vibe engineering, not pure vibe coding, was the appropriate model for production work.
Context engineering, also a 2025 coinage, focuses on what information the AI sees at each step. Tools such as Cursor Rules, Claude Code's CLAUDE.md convention, and AGENTS.md formalized the practice. The shift toward context engineering reflects an industry-wide recognition that the model is rarely the bottleneck: the bottleneck is what the model knows about the project.
Spec-driven AI development inverts the usual workflow: instead of writing code to specifications, developers write detailed natural-language specifications and let the AI generate the implementation. The specification becomes the source of truth. AWS's "Kiro" framework and several open-source experiments embraced this pattern in 2025 and 2026.
Test-first AI coding adapts test-driven development to AI generation. Developers write test cases (often with help from the AI), then let the AI generate implementation code to pass them. The tests provide an objective accept/reject signal that pure vibe coding lacks.
"AI-first development" is a looser umbrella term that refers to organizing the entire software development lifecycle around AI tooling: AI-generated requirements, AI-generated code, AI-driven testing, AI-driven deployment. Vibe coding is one tactic within an AI-first workflow.
A satirical riff on the established practice of behavior-driven development, vibe-driven development was used on Hacker News and in conference talks to describe particularly unstructured vibe coding sessions. It carried a self-aware acknowledgment that the practice could devolve into incoherence.
Vibe coding occupies similar ground to traditional no-code and low-code tools (Bubble, Webflow, Retool) but differs in two key ways. First, vibe coding produces actual source code rather than a proprietary configuration. Second, it is open-ended: the developer can describe any application, not just those that fit a vendor's templates. Practitioners often combine the two approaches, using vibe coding to extend or escape no-code platforms.
Vibe coding has influenced how the software industry thinks about development workflows, hiring, and education.
The rise of vibe coding has sparked debate about which skills matter most for software developers. If AI can handle the mechanics of writing code, then skills like system design, architectural thinking, quality assurance, and the ability to clearly articulate requirements become more valuable. Conversely, memorizing syntax and API details becomes less important. Recruiters in 2025 reported increased emphasis on system design interviews and "AI collaboration" assessments, where candidates were observed pairing with an AI on a small problem.
Y Combinator's observation that 10 engineers with AI tools can deliver what previously required 50 to 100 suggests a significant shift in team sizing and productivity expectations. Some industry observers predict that small, AI-augmented teams will increasingly outcompete larger traditional engineering organizations. The shift, if real, has implications for engineering management, hiring funnels, and the long-running question of whether software organizations should optimize for headcount or for output.
Vibe coding has encouraged the adoption of new workflows:
Computer science education has begun to adapt. Andrew Ng launched "Vibe Coding 101" with Replit through DeepLearning.AI, teaching students how to build and deploy applications using AI agents. Harvard's extension school added credit courses. Major bootcamps (App Academy, Hack Reactor, Le Wagon) added vibe coding modules. University departments wrestled with how to teach foundational programming concepts when the model could complete an introductory assignment in seconds. Several professors reported moving toward oral examinations and live programming sessions to ensure that students could explain their code rather than simply produce it.
The shift in productivity expectations has reshaped recruiting at AI-native startups. Companies such as Lovable, Cursor's own engineering team, and a generation of Y Combinator-backed firms hire small teams and expect every engineer to use AI tools at full intensity. Job postings in 2025 and 2026 increasingly listed Claude Code or Cursor as required, much as Git or GitHub had been listed a decade earlier.
Vibe coding exists within a broader ecosystem of AI-assisted software development.
Traditional AI coding assistants like GitHub Copilot primarily function as advanced autocomplete systems. They suggest code completions as the developer types, and the developer decides whether to accept each suggestion. This is a form of AI-assisted programming, but it is not vibe coding because the developer remains actively engaged with the code.
AI agents represent a step beyond simple code completion. An agentic coding tool can plan a sequence of changes, modify multiple files, run tests, and iterate on errors autonomously. Tools like Claude Code, Cursor's Agent mode, OpenAI Codex CLI, and Devin operate in this fashion. Agentic coding is closely related to vibe coding because it allows the developer to delegate larger chunks of work to the AI, but it can be practiced with or without code review.
Some developers describe their relationship with AI coding tools as "pair programming with AI." In traditional pair programming, two developers work together at one workstation: one writes code (the "driver") while the other reviews it in real time (the "navigator"). With AI pair programming, the AI acts as the driver and the human acts as the navigator, reviewing and guiding the AI's output. This analogy breaks down in pure vibe coding, where the human effectively stops navigating and lets the AI drive without oversight.
A recurring theme in critical commentary is the "verification gap": the cognitive and time cost of confirming that AI-generated code does what it says it does. Manual verification is slow; automated verification (tests, formal methods, static analysis) is partial. Vibe coding minimizes verification by design, which is what makes it fast and what makes it risky. Several vendors have explored agentic verification pipelines in which separate AI agents review and test code produced by another. Critics note that an unverified verifier may simply move the problem rather than solve it.