AI‑Generated Code Vulnerabilities Spike

Georgia Tech’s Vibe Security Radar attributes the majority of recent AI‑linked CVEs to specific assistants — 27 were traced to Anthropic’s Claude Code, four to GitHub Copilot, two to Devin and one each to Aether and Cursor. (theregister.com) The Vibe Security Radar effort is maintained by Georgia Tech’s Systems Software & Security Lab and was launched in May 2025 to catalogue vulnerabilities introduced by AI‑generated code across open source and CI/CD ecosystems. (infosecurity-magazine.com) Apiiro’s enterprise analysis examined tens of thousands of repositories and reported that AI‑assisted developers produced three to four times more commits while introducing an order‑of‑magnitude more security findings, including dramatic increases in privilege‑escalation and design‑flaw paths. (apiiro.com) The threat group tracked as “TeamPCP” executed a four‑wave supply‑chain campaign between March 19–24, 2026 that targeted widely used CI/CD tools including Aqua Security’s Trivy, Checkmarx’s KICS/AST GitHub Actions, and the LiteLLM PyPI package. (labs.cloudsecurityalliance.org) Post‑breach telemetry shows TeamPCP deployed an almost identical credential stealer across victims, harvested secrets from CI runner memory and file systems, packaged exfiltrated data into a tpcp.tar.gz archive, and sent it to a domain under the attackers’ control. (socradar.io) Checkmarx publicly disclosed the GitHub Actions compromises on March 24, 2026 and multiple security vendors reported follow‑on abuse of stolen tokens that turned a single pipeline compromise into additional supply‑chain incidents. (secure.com) Earlier, researchers tied high‑severity CVEs to AI assistant output — for example CVE‑2025‑55526 (a 9.1 directory‑traversal bug in n8n‑workflows) and GHSA‑3j63‑5h8p‑gf7c (an improper input‑handling issue in the x402 SDK), illustrating both critical runtime and logic errors in AI‑generated code. (theregister.com)