Silent Seizure: How a “Vibe-Coding” AI Platform Left a Journalist Exposed

On February 16, 2026, a startling cybersecurity demonstration proved that the convenience of AI coding might come with a devastating price tag. Using Orchids, a prominent AI “full-stack engineer” platform, researcher Etizaz Mohsin managed to hijack a BBC reporter’s laptop without a single interaction from the victim.

The breach represents a shift in cyber-warfare: moving away from social engineering (tricking users) toward automated exploitation within the tools we trust to build our software.

Also Read | Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail

What is “Vibe-Coding” and Why Did It Fail?

“Vibe-coding” became a viral trend in late 2025, describing a process where non-technical users build complex apps simply by “vibing” with a chatbot.

• The Promise: Describe an app in plain English, and the AI handles the frontend, backend, and deployment.

• The Flaw: Because the platform—in this case, Orchids—executes the code it writes on the user’s local machine or a trusted cloud environment, it creates a direct bridge to the system’s hardware.

• The Breach: Mohsin discovered that by slipping a “tiny change” into the AI-generated code, he could bypass security sandboxes. The platform accepted the malicious logic as “valid,” effectively handing the keys of the machine to the researcher.

The Zero-Click Takeover: A Step-by-Step Breakdown

Unlike traditional phishing, where you must click a suspicious link, this attack was entirely passive for the victim.

1. The Setup: The reporter was working on a test project within the Orchids interface.

2. The Injection: Mohsin, acting as a “collaborator” or exploiting a shared project link, inserted a snippet of malicious code into the AI’s generation stream.

3. The Execution: Orchids automatically ran the code to “update” the app.

4. The Takeover: Within seconds, the researcher had remote shell access. He changed the laptop’s wallpaper to a robot skull with the message: “you are hacked.”

[Image Description: A high-contrast conceptual image of a glowing robotic skull appearing on a laptop screen, with translucent lines of binary code flowing from a chatbot window into the computer’s motherboard.]

Also Read | Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail

Investigative Angle: The Hidden Backdoor in AI Agents

Our investigation into the “Agentic AI” surge of 2026 reveals a growing security vacuum.

The Strategy: Platforms like Orchids, Lovable, and Replit are racing to provide “one-click deployment.” However, our data shows that AI-authored code contains 2.74 times more security vulnerabilities than human-written code. By giving these AI “agents” deep system permissions to manage files and execute terminal commands, users are effectively removing the “human firewall” that typically stops unauthorized access.

Expert Warnings: Professor Kevin Curran on Autonomous Risk

Also Read | Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail

Professor Kevin Curran of Ulster University warns that the speed of AI development is outstripping our ability to secure it.

• Lack of Review: Because the AI writes thousands of lines of code in seconds, users rarely review the logic.

• Scaling Vulnerabilities: A single flaw in an AI’s “template” can be propagated across a million user projects instantly.

• Privilege Escalation: If an AI agent has the permission to “fix a bug,” it inherently has the permission to “install a backdoor.”

[AI CODING PLATFORMS: SECURITY TRACKER (FEB 2026)]

Next Steps

If you are a regular user of AI coding tools, you should never run experimental projects on your primary machine. Furthermore, if you are a developer, you should audit all AI-generated permissions and use “sandboxed” environments like Docker or virtual machines to isolate the AI’s workspace from your personal files.

Also Read | Imran Khan and Bushra Bibi Sentenced to 17 Years in Jail

End….