AI Programming: "Nationwide Frenzy" vs "Sh*t Mountain Crisis"

AI enables everyone to write code, but no one tells you what to do after the code is written. On April 6, New York Times reporters Mike Isaac and Erin Griffith published an article revealing the other side of the widespread use of AI programming tools: **code overload**. After a financial services company introduced the AI programming tool Cursor, **monthly code output soared from 25,000 lines to 250,000 lines—a tenfold increase. Along with it came a backlog of a million lines of code waiting for review.** StackHawk co-founder and CEO Joni Klippert said, "They simply can't keep up with the growth in code delivery—and the surge in vulnerabilities that come with it." This is not an isolated case, but a new reality faced by the entire industry. ## Code Factory "Exploded" Last November, Anthropic and OpenAI both upgraded the underlying models for their programming tools Claude Code and Codex. Reportedly, the upgrade turned AI programming agents from "occasionally useful assistants" into "fully automatic code generation machines"—with only minimal human guidance, AI can accomplish weeks’ worth of programming work in a very short time. Google’s September 2025 survey showed that 90% of software developers are already using AI to assist their work, with 71% of programmers using AI to write code. The explosion of code output has brought a thorny problem: who will review it? Replit President and Head of AI Michele Catasta put it bluntly: **"Everyone in the company has become a programmer; this is both a blessing and a curse."** Meta CTO Andrew Bosworth wrote in an internal memo this year: "A project that used to require hundreds of engineers can now be completed by dozens. What used to take months can now be done in days." He added that AI’s impact on organizations like Meta is "profound." Cursor Head of Engineering, Product, and Design Tido Carriero summed it up even more directly: "In a certain sense, the software development factory has already collapsed. We are trying to reassemble these parts." ## Security Vulnerabilities: The Overlooked Cost While the amount of code has skyrocketed, security review capabilities haven’t kept up. According to Tencent Technology, in May 2025, Replit employee Matt Palmer scanned 1,645 website apps created on the Vibe Coding platform Lovable, **discovering that 170 of them (about 10.3%) had serious security vulnerabilities**—allowing anyone to access user databases without logging in, and obtain names, emails, financial information, and API keys. Palantir engineer Daniel Asaria took just 47 minutes to extract personal debt amounts, home addresses, and sensitive keywords from several Lovable demo apps. Security research firm Escape then conducted a broader scan of over 5,600 Vibe Coding apps, finding more than 2,000 security vulnerabilities, over 400 exposed keys, and 175 cases of personal privacy data leaks, including medical records and bank accounts. Most of the creators of these apps had no security knowledge whatsoever. Silicon Valley VC Costanoa Ventures advisor Joe Sullivan commented, "All the application security engineers in the world together still can’t meet the demands of U.S. companies." He stated that the large enterprises he's been in contact with would gladly hire 5 to 10 more people for these roles if they could. Sullivan also pointed out a more hidden risk: AI programming tools work better on local laptops, which has led increasing numbers of engineers to download their entire company’s codebase to personal computers. "This was a crazy risk nobody saw coming six months ago, and now they’re working to solve it." ## Open Source Community: "DDoS Attacks" of Garbage PRs The impact of AI-generated code is especially evident in the open source community. According to Tencent Technology, cURL founder Daniel Stenberg shut down a six-year-old vulnerability bounty program in January 2026. The reason wasn’t budget, but the overwhelming flood of fake vulnerability reports generated by AI. In the three weeks before closure, cURL received 20 submissions, none of which were confirmed as real vulnerabilities. At the FOSDEM 2026 conference, Stenberg revealed that before 2025, about one sixth of security reports for cURL were valid; by the end of 2025, this had fallen to one twentieth, or even one thirtieth. He called this phenomenon a "DDoS attack on open source." Steve Ruiz, founder of the digital whiteboard startup tldraw, told the New York Times, **that he noticed a large number of peculiar contributors last autumn—some would quit at the last step after completing all work, some would ignore clear guidance, and some would submit batches of garbage updates. He judged these were most likely AI bots and closed external contribution channels in January this year.** "The risk to the codebase is very high," he said. "This shock could endanger the team, community, and project’s reputation." Ghostty creator Mitchell Hashimoto also banned all unaudited AI-generated code contributions at the beginning of 2026 and launched a trust-based Vouch system. Voiceflow Head of Infrastructure Xavier Portilla Edo offered a quantitative judgment: **"Only one in ten AI-generated PRs is reasonable—the other nine waste maintainers’ time."** GitHub released two new settings in February 2026, allowing repositories to fully disable Pull Requests or restrict them to collaborators only. When the platform itself has to provide "shut-off valve" features, it means the problem is structural. An AI engineer from a large tech company summed it up for Tencent Technology: **"When developers submit garbage PRs to Vibe, it harms open source maintainers; when security personnel submit garbage vulnerabilities to Vibe, it harms vulnerability auditors. It’s completely disrespectful of others’ time."** ## Efficiency Illusion: Feels Faster, Actually Slower Do AI programming tools really improve efficiency? The data gives a surprising answer. According to Tencent Technology, in a randomized controlled experiment published by METR (Model Evaluation and Threat Research) in 2025, 16 experienced open source developers completed 246 real tasks in large, familiar code repositories, randomly assigned to be able to use AI tools or not. **Result: Developers who used AI tools actually took 19% longer to complete tasks.** More noteworthy is the cognitive bias: These developers estimated AI would make them 24% faster before the experiment and still believed they were 20% faster after it ended. **Meanwhile, the 2025 Stack Overflow developer survey showed trust in AI accuracy dropped from 40% the previous year to 29%, and 46% of developers explicitly expressed distrust of AI tools’ accuracy.** The massive surge in app numbers confirms the scale of this "efficiency illusion." According to Sensor Tower data cited by Tencent Technology, U.S. iOS app releases rose 56% year-on-year in December 2025 and 54.8% year-on-year in January 2026, both hitting four-year highs. Appfigures stats show 557,000 new apps were submitted to the App Store in 2025, up 24% from 2024—the biggest wave since 2016. Apple has already removed the Vibe Coding app Anything from the App Store (which had raised $11 million at a $100 million valuation), and frozen updates to Replit and Vibecode and similar tools for months. ## Using AI to Solve Problems Created by AI Faced with code overload, tech companies’ answer remains: more AI. Both Anthropic and OpenAI have launched AI-driven code review tools to automatically detect errors. In December last year, Cursor acquired code review bot startup Graphite and integrated its technology into their product, helping engineers prioritize the most sensitive code review needs. Whether this path will work is still undetermined. According to Tencent Technology, Adam Wathan, creator of Tailwind CSS, disclosed in January 2026 that despite Tailwind having 75 million monthly downloads, its documentation traffic has dropped about 40% compared to early 2023, and revenue has fallen nearly 80%. "Documentation is the only channel for people to discover our commercial products. Without customers, we can’t sustain framework development." **RedMonk analyst Kate Holterhoff dubbed this phenomenon "AI Slopageddon." As Tencent Technology said: The 'mountain of crap' crisis of AI code is just beginning.** Risk warning and disclaimer The market has risks; investment needs caution. This article does not constitute personal investment advice, nor does it take into account the special investment goals, financial situation, or needs of individual users. Users should consider whether any opinions, viewpoints, or conclusions in this article are suitable for their specific situation. Invest accordingly, and bear responsibility for your own actions.