--- title: "AI coding agents accidentally introduced vulnerable dependencies" slug: "ai-coding-agents-accidentally-introduced-vulnerable-dependencies" date: 2026-03-15 category: community tags: [openai, anthropic, agents] language: en sources_count: 1 featured: false publisher: AInauten News url: https://news.ainauten.com/en/story/ai-coding-agents-accidentally-introduced-vulnerable-dependencies --- # AI coding agents accidentally introduced vulnerable dependencies **Published**: 2026-03-15 | **Category**: community | **Sources**: 1 --- ## TL;DR - A developer found a cryptominer running on their server – root cause was CVE-2025-29927, a critical Next. --- ## Summary - A developer found a cryptominer running on their server – root cause was CVE-2025-29927, a critical Next.js vulnerability that bypasses middleware protections entirely. - The app was largely built with Claude Code and OpenAI Codex ('vibe coding'). AI-generated code pulled in outdated or vulnerable dependencies without anyone explicitly auditing their security posture. - The attacker reached internal endpoints assumed to be protected and executed a script that downloaded a mining binary. - The first sign was CPU usage near 100% even during low traffic – only manual process inspection revealed the miner. --- ## Why it matters A developer found a cryptominer running on their server – root cause was CVE-2025-29927, a critical Next.js vulnerability that bypasses middleware protections entirely. --- ## Key Points - A developer found a cryptominer running on their server – root cause was CVE-2025-29927, a critical Next.js vulnerability that bypasses middleware protections entirely. - The app was largely built with Claude Code and OpenAI Codex ('vibe coding'). AI-generated code pulled in outdated or vulnerable dependencies without anyone explicitly auditing their security posture. - The attacker reached internal endpoints assumed to be protected and executed a script that downloaded a mining binary. - The first sign was CPU usage near 100% even during low traffic – only manual process inspection revealed the miner. --- ## Nauti's Take 'Vibe coding' is an apt name – you ride a wave of AI-generated output feeling productive, until the hangover hits. This isn't an isolated incident; it's a structural problem. AI tools don't know which packages are vulnerable today, and nobody asks them to check. The output sounds competent but is a snapshot from training data with zero live threat intelligence baked in. Anyone seriously using AI coding agents should treat 'npm audit', Dependabot, or Snyk as mandatory hard gates in CI/CD – not optional extras. In this case, a cryptominer was arguably the least damaging possible outcome. --- ## FAQ **Q:** What is AI coding agents accidentally introduced vulnerable dependencies about? **A:** - A developer found a cryptominer running on their server – root cause was CVE-2025-29927, a critical Next. **Q:** Why does it matter? **A:** A developer found a cryptominer running on their server – root cause was CVE-2025-29927, a critical Next.js vulnerability that bypasses middleware protections entirely. **Q:** What are the key takeaways? **A:** A developer found a cryptominer running on their server – root cause was CVE-2025-29927, a critical Next.js vulnerability that bypasses middleware protections entirely.. The app was largely built with Claude Code and OpenAI Codex ('vibe coding'). AI-generated code pulled in outdated or vulnerable dependencies without anyone explicitly auditing their security posture.. The attacker reached internal endpoints assumed to be protected and executed a script that downloaded a mining binary. --- ## Related Topics - [openai](https://news.ainauten.com/en/tag/openai) - [anthropic](https://news.ainauten.com/en/tag/anthropic) - [agents](https://news.ainauten.com/en/tag/agents) --- ## Sources - [AI coding agents accidentally introduced vulnerable dependencies](https://news.ycombinator.com/item?id=47387054) - Hacker News AI --- ## About This Article This article is a synthesis of 1 sources, curated and summarized by AInauten News. We aggregate AI news from trusted sources and provide bilingual (German/English) coverage. **Publisher**: [AInauten](https://www.ainauten.com) | **Site**: [news.ainauten.com](https://news.ainauten.com) --- *Last Updated: 2026-03-15*