Vibe coding is lowering the bar for cybercriminals to create phishing websites.
AI coding is already big business, with startups securing attention and funding. However, the so-called “vibe coding” has stirred discussions about safety, as AI-generated code snippets might enable attackers to exploit vulnerabilities.
Vibe coding creates security issues and technical debt that non-programmers can't fix. And while AI can generate code quickly, it lacks architectural vision and long-term maintainability.
Apart from writing what coders often call “badly written code,” AI coding platforms have already been exploited by threat actors.
Have thoughts about this topic? Others do, too. Join them in the discussion.
According to new research from Proofpoint, threat actors are increasingly exploiting an AI platform called Lovable to build phishing pages. Proofpoint says it has spotted tens of thousands of malicious Lovable URLs every month since early 2025.
Lovable is an AI startup that lets users create websites and apps with simple text prompts. It raised $200 million in July and hit a $1.8 billion valuation eight months after launch.
Vibe coding tools are used to create phishing campaigns
Proofpoint tracked campaigns where criminals used Lovable to host phishing sites. Malicious websites cloned Microsoft login pages to steal credentials.
Some sites impersonated CAPTCHAs, while others pretended to be shipping giants like UPS, tricking victims into revealing payment details.
In one campaign, scammers used Lovable to spin up fake DeFi landing pages, luring people to connect their crypto wallets before draining them. In another, malware loaders disguised as legit software downloads infected victims with remote-access trojans.
Some AI tools can significantly lower the barrier to entry for cybercriminals. Free users on Lovable can clone any public site on the platform, slap in a new logo, and launch a fresh campaign in minutes. That means one working phishing template can quickly snowball into hundreds.
"While it has always been possible to clone the HTML and CSS of existing websites, creating something new to either impersonate a known brand or masquerade as a legitimate business typically took time and effort from the adversary,"
wrote the researchers.
According to them, automatic web creation tools enable threat actors to more easily develop phishing sites and spend more time on the attack chain.
“Creators of such tools should be mindful of opportunities for abuse and implement safeguards to prevent exploitation.”Reportedly, Lovable has stated that it is addressing the issues.
AI coding is controversial
AI coding tools are fueling a new trend in the tech scene: vibe coding. The term was allegedly coined by Andrej Karpathy, co-founder of OpenAI, who posted about “giving in to the vibes and forgetting that the code even exists.”
However, many coders are unhappy with AI's results, as it simply “writes trash code.” One problem is that AI follows its own logic while coding, which might be tricky to understand, troubleshoot, or build upon.
Some Redditors described AI coding like this: “The drunk uncle walks by after the wreck and gives you a roll of duct tape before asking to borrow some money to go to Vegas.”
Security is another problem. The growing adoption of AI-generated code could be seen as a live opportunity for exploitation, as it potentially leaves many security loopholes.
Hackers are also targeting vibe coders by offering them malicious extensions promising shortcuts and accurate results. One such extension has been downloaded 200,000 times. However, instead of providing any useful features, it runs PowerShell scripts, giving attackers remote access to the infected computer.
Your email address will not be published. Required fields are markedmarked