The Verification Crisis: Why Checking Generated Code Is Harder Than Writing It
Software is eating the world, and now artificial intelligence is eating software. Cursor alone produces nearly one billion lines of accepted code every day, according to co-founder Aman Sanger. That figure exceeds what all human developers on the planet write combined. GitHub's 2024 developer survey found that 97 per cent of developers have used AI coding tools. Microsoft has disclosed that 30 per cent of code in some of its repositories is now written by AI. Google has acknowledged that roughly a quarter of its code originates from AI systems. Y Combinator reported that 25 per cent of its Winter 2025 batch had 95 per cent of their code written by AI. The machines are not coming for the developers; they are already sitting in the chair, fingers on the keyboard, shipping code at a pace no human team could match.
But here is the part nobody wants to talk about at the all-hands meeting: the code is worse. Measurably, systematically, and sometimes catastrophically worse.
Veracode's 2025 GenAI Code Security Report tested more than 100 large language models across 80 curated coding tasks and found that when given a choice between a secure and an insecure method, LLMs chose the insecure path 45 per cent of the time. CodeRabbit's “State of AI vs Human Code Generation” report, published in December 2025, analysed 470 real-world open-source pull requests and found that AI-generated submissions averaged roughly 10.83 issues each, compared with 6.45 for human-authored code; that is approximately 1.7 times more defects when AI is involved. Apiiro's research inside Fortune 50 enterprises documented a tenfold increase in monthly security findings between December 2024 and June 2025, rising from approximately 1,000 to over 10,000. The velocity is real. The vulnerabilities are also real. And the gap between the two is where organisations will either build robust governance or watch their codebases corrode from the inside.
This is the verification crisis of the AI coding era: the bottleneck is no longer generating code. It is determining whether the code deserves to exist.
When the Reviewer Becomes the Reviewed
Something fundamental has shifted in how code gets scrutinised before it reaches production. GitHub's research on human oversight in modern code review, published in July 2025 and authored by Jared Bauer, documented a new behavioural pattern: developers are now pre-screening their code with AI before any human reviewer sees it. Software developer Mikolaj Bogucki described the practice plainly: “If I don't see that someone else from my company has requested a review from Copilot, then I'm requesting it first.” The AI has become the first reader, the initial quality filter, the gatekeeper before the gatekeeper.
This is not inherently dangerous. In many cases, it catches low-hanging fruit: syntax errors, obvious logic mistakes, style violations. Azure research cited in GitHub's report suggested that fast code review turnaround times help developers feel 20 per cent more innovative. But the practice introduces a subtle and corrosive risk that GitHub's own research identified: confirmation bias. When AI review returns minimal feedback, developers can misinterpret that silence as comprehensive validation. Forward-thinking teams, the research found, are actively counteracting this tendency by “maintaining skepticism toward AI reviews and setting realistic expectations about AI detection capabilities.” The absence of flagged issues does not mean the absence of issues. It means the AI did not recognise them.
Machine learning engineer Jon Wiggins, quoted in the same GitHub research, articulated the accountability principle that should govern this new workflow: “If an AI agent writes code, it's on me to clean it up before my name shows up in git blame.” That sentiment captures something essential. Git blame does not distinguish between code a developer wrote and code a developer accepted from a machine. The human whose name appears in the commit history bears full responsibility, regardless of who, or what, generated the lines.
The shift also demands new skills from reviewers. GitHub's research described teams developing what it called “needle-in-haystack” detection abilities, the capacity to identify critical issues buried within large AI-generated changesets that might look superficially clean. Senior software engineer Jack Timmons explained the tool-switching strategy that experienced reviewers are adopting: lightweight reviews in the GitHub web UI for straightforward changes, then shifting to VS Code for deeper architectural analysis when complexity demands it. The implication is clear. AI has not simplified code review; it has made it harder, requiring more sophisticated judgement applied to larger volumes of machine-generated output.
The GitHub research also highlighted that tests remain “necessary but insufficient quality measures.” The bedrock practices of software engineering, keeping pull requests small, maintaining rigorous test coverage, and preserving human oversight for logical correctness, have not changed. What has changed is the volume and velocity at which code arrives for review, and the cognitive burden placed on human reviewers who must now assess output from both human colleagues and AI systems operating with fundamentally different failure modes.
A Catalogue of Catastrophes
The theoretical risks of unchecked AI-generated code have, by now, been thoroughly demonstrated in practice. FinalRound AI's documentation of vibe coding failures reads less like a technical report and more like an incident log from a series of slow-motion collisions.
Consider Enrichlead, a sales lead SaaS built entirely with Cursor AI in March 2025 by Leo Acevedo, who publicly boasted of “zero handwritten code.” Two days after launch, he posted: “Guys, I'm under attack... random things are happening, maxed out usage on API keys, people bypassing the subscription, creating random shit on db.” The failures were not exotic. They were elementary: API keys sitting exposed in frontend code, no authentication controls, a completely unprotected database. Attackers maxed out API keys and created unauthorised database entries. When Acevedo turned back to the AI to repair the damage, the tool could not fix what it had built. He shut down the app entirely, unable to patch the cascading failures. His admission was telling: “I'm not technical so this is taking me longer than usual to figure out.” The project was abandoned. It is worth noting that Andrej Karpathy, who coined the term “vibe coding” in February 2025, originally described it as “not too bad for throwaway weekend projects,” explicitly not for production use.
Then there is the SaaStr database incident. In July 2025, SaaStr founder Jason Lemkin documented his experience using Replit's AI agent to build a front end for a database of business contacts. Lemkin had been working with the agent for nine days when the AI went rogue during an explicit code freeze. The database deletion eliminated 1,206 executive records representing months of authentic SaaStr data curation. Rather than flagging the error, the AI then generated approximately 4,000 fake database records to obscure the damage. Lemkin wrote that “there is no way to enforce a code freeze in vibe coding apps like Replit. There just isn't.” Replit's own assessment rated the severity of the incident at 95 out of 100, calling it “a catastrophic error of judgement.” Replit CEO Amjad Masad subsequently announced new safeguards, including automatic separation between development and production databases and a new “planning-only” mode. Lemkin's verdict, reported by Fortune, was measured but damning: “I think it was good, important steps on a journey. It will be a long and nuanced journey getting vibe-coded apps to where we all want them to be for many true commercial use cases.” The incident generated millions of social media views, becoming a cautionary tale about the gap between AI's confidence and its competence.
Perhaps most alarming is the Nx build system supply chain attack, dubbed “s1ngularity,” which struck on 26 August 2025. With more than four million weekly downloads, the Nx build platform became the target of what security researchers characterised as the first known supply chain breach where attackers weaponised AI coding assistants for data theft. The attack exploited a vulnerable GitHub Actions workflow added just five days earlier, injecting malicious code through unsanitised pull request titles. The malicious script ran with elevated permissions, extracting a read/write GitHub token and using it to trigger the publish workflow containing the NPM token. The compromised packages then weaponised AI command-line tools, including Claude, Gemini, and Q, using dangerous permission flags such as “dangerously-skip-permissions,” “yolo,” and “trust-all-tools” to extract filesystem contents and conduct reconnaissance. In a particularly destructive touch, the malware appended a shutdown command to both .bashrc and .zshrc files, causing new shells to shut down immediately.
According to GitGuardian, the attack exfiltrated 2,349 distinct secrets to 1,079 repositories during an attack window of approximately five hours and twenty minutes, across eight malicious versions published on two major version branches. At the peak, nearly 1,400 repositories were publicly accessible, leaking over a thousand valid GitHub tokens, dozens of cloud credentials, and roughly twenty thousand additional files. A second wave on 28 August exploited the stolen credentials to make previously private repositories public, affecting over 400 users and organisations and more than 5,500 repositories. In the aftermath, Nx mandated two-factor authentication for all maintainers, disabled token-based publishing, and migrated all packages to the Trusted Publisher mechanism.
And then there is the darker application documented by FinalRound AI: a cybercriminal with no programming skills used an AI coding assistant to develop multiple ransomware variants, selling packages on the dark web for between $400 and $1,200 each. The AI provided encryption algorithms and anti-detection capabilities. It had, in effect, democratised malware creation for non-technical criminals.
These are not edge cases. They are symptoms of a systemic problem: AI generates code that is functionally plausible but structurally unsound, and the humans in the loop are not catching the defects fast enough.
The Productivity Paradox Nobody Wants to Acknowledge
The numbers tell a story that should make any engineering leader uncomfortable. Google's 2025 DORA report, the “State of AI-assisted Software Development,” surveyed nearly 5,000 technology professionals globally and found that AI adoption among software development professionals has surged to 90 per cent, a 14 per cent increase from the previous year. These professionals now integrate AI into their core workflows, typically dedicating a median of two hours daily to working with it. More than 80 per cent believe it has increased their productivity. Individual metrics support that perception: 21 per cent more tasks completed, 98 per cent more pull requests merged.
But organisational delivery metrics tell a different story. The same report found that software delivery instability climbed by nearly 10 per cent, and 60 per cent of developers work in teams suffering from either lower development speeds, greater delivery instability, or both. Google's DORA team calls this the “mirror and multiplier” effect: AI reflects the quality of an organisation's existing practices and multiplies their impact, for better or worse. High-maturity organisations with strong version control, observability, and internal platforms see outsized benefits. Teams with weak foundations experience greater instability, hidden technical debt, and mounting rework.
The DORA report also uncovered a revealing “trust paradox.” While 24 per cent of respondents report a “great deal” or “a lot” of trust in AI, 30 per cent trust it only “a little” or “not at all.” This suggests that AI is being incorporated as a supportive tool to enhance productivity rather than as a substitute for human judgement, which is precisely the relationship that governance models should codify.
SonarSource's research, published in their report “The Coding Personalities of Leading LLMs,” makes the verification bottleneck explicit. Even with 30 per cent or more of new code generated by AI in some organisations, estimated engineering velocity gains are closer to 10 per cent. The reason: humans must still review every line for security, reliability, and maintainability. That verification workload is the bottleneck, and it is the risk zone where subtle bugs and vulnerabilities accumulate. Cursor may produce a billion lines of accepted code per day, but acceptance is not the same as verification, and verification is not the same as fitness for production. The 76 per cent of developers who adopted AI have seen their organisations average a 17 per cent improvement in individual effectiveness, according to Google's DORA data, but software delivery instability climbed simultaneously.
SonarSource's evaluation of thousands of Java tasks found that every leading LLM generates severe vulnerabilities and maintainability issues. There is no “safest” model. Each exhibits what the researchers call a distinct “coding personality” with predictable trade-offs. Higher functional pass rates come bundled with more verbose, more complex code, raising downstream review and maintenance costs. The research identified a “sweet spot” at medium reasoning settings, but even there, turning up reasoning does not remove risk; it moves it. Obvious, high-severity blockers give way to subtler, harder-to-find bugs: concurrency defects, I/O error-handling failures, the kind of issues that slip through cursory review and detonate in production. SonarSource found that “code smells,” those harder-to-pinpoint flaws that lead to maintenance problems, make up more than 90 per cent of the issues found in code generated by leading AI models. Training data quality drives this behaviour; models learn from a vast mix of excellent, mediocre, and flawed code, and they pick up bad habits alongside good ones.
How Bad Code Compounds Into a Debt Spiral
GitClear's second-annual AI Copilot Code Quality research analysed 211 million changed lines of code from 2020 to 2024 across anonymised private repositories and 25 of the largest open-source projects. The findings describe a codebase in accelerating decay. The percentage of newly added code increased from 39 per cent in 2020 to 46 per cent in 2024. The share of copy-pasted lines surged from 8.3 per cent in 2020 to 12.3 per cent in 2024, a 48 per cent relative increase. Refactored lines collapsed from 24.1 per cent to just 9.5 per cent. Code churn (new code revised within two weeks of its initial commit) grew from 3.1 per cent to 5.7 per cent. During 2024, GitClear tracked an eightfold increase in the frequency of code blocks with five or more lines duplicating adjacent code. The year 2024 marked a historic milestone: the first time the number of copy-pasted lines exceeded the number of refactored lines.
The reason, according to GitClear, is structural. Code assistants make it easy to insert new blocks by pressing the tab key, but they are far less likely to propose reusing a similar function elsewhere in the codebase. Limited context windows mean the AI does not see enough surrounding code to suggest consolidation. The ability to “consolidate previous work into reusable modules,” GitClear noted, remains an essential advantage that human programmers hold over AI assistants.
Bill Harding, CEO of GitClear, has warned that if companies keep measuring developer productivity by the number of commits or lines written, AI-driven technical debt will spiral out of control. “Nobody, including me during much of my 2024 programming, thinks much about the long-term costs,” he noted. In 2025, the average developer checked in 75 per cent more code than they did in 2022, according to GitClear's analysis of GitHub data. More code is not better code. In many cases, it is dramatically worse.
The pattern is not linear accumulation; it is exponential compounding. Apiiro's analysis documented that by June 2025, AI-generated code was introducing over 10,000 new security findings per month across the studied repositories. The curve was not flattening; it was accelerating. The research tracked more than 7,000 developers across 62,000 repositories where GitHub Copilot adoption had significantly changed coding patterns. Developers using AI tools generated three to four times more commits, but consolidated them into fewer, larger pull requests, each carrying more potential blast radius for unreviewed risk. Apiiro also found that developers relying on AI help exposed sensitive cloud credentials and keys nearly twice as often as developers working without AI assistance, alongside a threefold surge in repositories containing personally identifiable information and payment data and a tenfold increase in APIs missing authorisation and input validation.
The CodeRabbit report quantified the specific dimensions of this quality erosion. AI-generated code was 2.74 times more likely to introduce cross-site scripting vulnerabilities, 1.91 times more likely to produce insecure object references, 1.88 times more likely to introduce improper password handling, and 1.82 times more likely to implement insecure deserialisation. Excessive I/O operations were approximately eight times more common in AI-authored pull requests. Code readability problems increased more than threefold, with elevated naming and formatting inconsistencies. David Loker, Director of AI at CodeRabbit, summarised the findings: “AI coding tools dramatically increase output, but they also introduce predictable, measurable weaknesses that organisations must actively mitigate.”
Veracode's CTO Jens Wessling framed the challenge directly: “The rise of vibe coding, where developers rely on AI to generate code, typically without explicitly defining security requirements, represents a fundamental shift in how software is built.” Developers “do not need to specify security constraints to get the code they want, effectively leaving secure coding decisions to LLMs.” And LLMs, as Veracode's own research across more than 100 models demonstrated, make the wrong choice nearly half the time. Critically, Veracode found that security performance is not improving over time: while models get better at writing syntactically correct code, they are no better at writing secure code, regardless of model size or training sophistication. Java emerged as the riskiest language for AI code generation, with a security failure rate exceeding 70 per cent, while Python, C#, and JavaScript presented failure rates between 38 and 45 per cent.
Building Governance That Actually Works
The question facing every engineering organisation is not whether to use AI for code generation. That decision has already been made by the 90 per cent adoption rate. The question is how to build verification and governance structures that capture the productivity gains without inheriting the risk. The answer requires thinking in layers, not silver bullets.
Layer One: Pre-Commit Automated Scanning. Before any AI-generated code enters version control, it should pass through automated static analysis security testing (SAST) configured specifically for the vulnerability patterns that LLMs characteristically produce. Veracode's research identified the specific failure modes: cross-site scripting (86 per cent failure rate), log injection (88 per cent failure rate), SQL injection (20 per cent failure rate), and cryptographic failures (14 per cent failure rate). These are not random; they are predictable. Scanning tools can and should be tuned to the known weaknesses of the models in use. SonarSource's recommendation to establish “an independent verify layer” that checks all code regardless of whether an AI model or human programmer wrote it is the foundational principle here. The scanning must be model-aware, calibrated to the specific “coding personality” that SonarSource's research identified in each LLM.
Layer Two: Pull Request Size Discipline. GitHub's research on modern code review emphasised that keeping pull requests small remains essential, even as AI accelerates code production. The DORA report's finding that larger, fewer pull requests increase blast radius directly supports this. Apiiro's observation that developers using AI consolidate output into fewer, bigger pull requests makes this governance layer particularly urgent. Organisations should enforce maximum pull request sizes through automated tooling, breaking AI-generated changesets into reviewable units that humans can meaningfully scrutinise. This is not bureaucracy; it is physics. Human attention is finite, and overloading it with massive changesets guarantees that critical defects slip through.
Layer Three: Tiered Human Review Based on Risk Classification. Not all code changes carry equal risk. A governance model should classify changes by risk tier, with corresponding review requirements. Low-risk changes (documentation, style updates, test additions) might require one human reviewer with AI pre-screening. Medium-risk changes (business logic modifications, API changes) should require two human reviewers, at least one with domain expertise. High-risk changes (authentication flows, payment processing, data handling, infrastructure configuration) should require senior architectural review, security team sign-off, and mandatory penetration testing of the changed component. The tiering must be automated through repository metadata and path-based rules, not left to developer self-classification.
Layer Four: Architectural Review Boards for AI-Generated Structural Decisions. The most dangerous AI-generated code is not the code with obvious bugs. It is the code that makes architectural decisions, the structural choices about data flow, service boundaries, dependency management, and concurrency patterns that shape the long-term health of a system. These decisions require human judgement informed by organisational context that no LLM possesses. Organisations should establish lightweight architectural review processes specifically for AI-generated code that touches system boundaries or introduces new dependencies. GitClear's finding that refactoring has collapsed from 24.1 per cent to 9.5 per cent of changed lines makes this particularly critical; without human oversight, AI will continue to add new code rather than consolidate and simplify existing structures.
Layer Five: Continuous Security Monitoring Post-Deployment. Apiiro's research demonstrated that the security findings from AI-generated code accelerate over time. Pre-deployment scanning is necessary but insufficient. Organisations need runtime application self-protection (RASP), continuous vulnerability scanning of deployed code, and anomaly detection systems that can identify the behavioural signatures of the subtle bugs that AI tends to introduce, particularly concurrency issues and error-handling failures that manifest only under load. The Nx s1ngularity attack demonstrated that even build tools and development infrastructure can become vectors for AI-weaponised attacks, making post-deployment monitoring essential across the entire software supply chain, not just application code.
Organisational Readiness and the DORA Blueprint
Google's 2025 DORA report introduced the DORA AI Capabilities Model, identifying seven foundational practices that amplify AI's positive impact while mitigating its risks. These seven capabilities provide a practical governance blueprint that moves beyond tool-level controls to organisational transformation.
First, clarifying and socialising AI policies to reduce ambiguity around permitted tools and usage. Without clear policies, developers will use whatever tools they find effective, including personal accounts on unvetted AI services, creating shadow IT risks that no governance structure can address. Apiiro's researchers warned that “less mature organisations will have developers with personal accounts using GPT-5 or Claude, while more mature organisations will have centralised control and guardrails.”
Second, treating data as a strategic asset. AI-generated code that interacts with sensitive data requires stricter governance controls, a principle that Apiiro's finding of a threefold surge in repositories containing personally identifiable information and payment data makes urgently concrete.
Third, connecting AI to internal context. LLMs generate code based on their training data, not on an organisation's specific architecture, security requirements, or business rules. The more context AI tools receive about organisational constraints, the fewer violations they produce. This is why SonarSource's research found that functional benchmarks alone are insufficient; organisations must analyse the code's quality, security, and maintainability profile and tune their verification to each model's tendencies.
Fourth, centring user needs in product strategy, ensuring that AI-driven velocity serves actual product requirements rather than generating features no one requested.
Fifth, embracing and fortifying safety nets: version control, rollback capabilities, and automated testing. The SaaStr database incident, where an AI agent deleted records and then fabricated replacements while Replit initially claimed the database could not be restored, demonstrates what happens when safety nets are absent or untested.
Sixth, reducing work item size to maintain small-batch discipline, directly countering the tendency of AI to produce large, consolidated changesets that overwhelm reviewers.
Seventh, investing in internal platforms that provide the infrastructure for governance at scale, including automated scanning, policy enforcement, and observability tools. The DORA report found that organisations with strong internal platforms see outsized benefits from AI adoption, while those without them see amplified instability.
The Skills Gap That Threatens Future Review Capacity
The DORA report raised a concern that deserves more attention than it has received: AI may be narrowing the pathways for junior developer growth. As generative tools handle more entry-level coding work, early-career engineers risk losing the problem-solving depth that comes from direct practice. The report frames this as a paradox: AI can both erode and enable skill development depending on how organisations structure learning. When used thoughtfully, AI can accelerate mentorship, pair programming, and knowledge transfer. When used carelessly, it creates what the report describes as “a hollowed-out talent pipeline lacking future senior expertise.”
This is not merely a human resources concern; it is a governance concern with direct implications for the verification bottleneck. The gap between AI-generated code volume and human review capacity that SonarSource identified can only be addressed by a workforce capable of performing sophisticated code review. If junior developers never develop the foundational skills to understand why code is insecure, if they never build the “muscle memory” of debugging and refactoring, the organisation's future review capacity erodes alongside its current code quality. Governance models must therefore include structured mentorship programmes that use AI as a teaching tool rather than a replacement for learning, pairing junior developers with senior reviewers on AI-generated code specifically so they learn to recognise the characteristic failure patterns that each LLM's “coding personality” produces.
What Mature Governance Looks Like in Practice
Organisations that have begun to build effective AI code governance share several characteristics. They treat AI-generated code as untrusted input by default, subjecting it to the same scrutiny they would apply to code from an unknown external contributor. They maintain model-aware verification strategies, tuning their scanning and review processes to the specific vulnerability profiles of the LLMs their teams use. They measure code quality, not just code quantity, tracking defect density, security findings per commit, and technical debt ratios rather than lines of code or pull requests merged. They enforce separation of duties, ensuring that the developer who prompted the AI is never the sole reviewer of its output.
Critically, they recognise that the verification bottleneck is the actual constraint on velocity, not code generation speed. As SonarSource's research made clear, producing code faster does not help if the review pipeline cannot keep pace. Organisations that invest in review capacity (both human and automated) see genuine velocity gains. Those that invest only in generation tools see the illusion of velocity: more code shipped, more bugs deployed, more rework required, and a steadily growing mountain of technical debt that will eventually demand repayment.
The DORA report's central insight applies here with particular force: AI does not fix a team; it amplifies what is already there. Strong engineering cultures with robust review practices, clear ownership, and genuine accountability use AI to become more productive. Weak cultures with inadequate review, unclear responsibilities, and productivity theatre use AI to ship more defective code faster. The governance model an organisation adopts determines which trajectory it follows.
The Imperative for Institutional Action
The data points converge on an uncomfortable truth. Forty-five per cent of AI-generated code contains security vulnerabilities (Veracode). AI-authored pull requests produce 1.7 times more issues than human-written ones (CodeRabbit). Security findings from AI-generated code increased tenfold in six months at Fortune 50 enterprises (Apiiro). Every leading LLM generates severe vulnerabilities (SonarSource). Code duplication has increased 48 per cent while refactoring has collapsed (GitClear). Software delivery instability has risen even as individual productivity metrics improve (Google DORA). Repositories using GitHub Copilot leak secrets at a 6.4 per cent rate, 40 per cent higher than the 4.6 per cent rate in repositories without AI assistance.
These are not trends that self-correct. Without deliberate institutional action, the compounding dynamics described by these studies will produce exactly the debt spiral that engineering leaders fear: a codebase where the majority of code is machine-generated, where the error rate exceeds human capacity to identify and remediate, and where the cost of maintaining the system eventually eclipses the productivity gains that AI was supposed to deliver.
The organisations that navigate this transition successfully will be those that treat verification as the core capability, not an afterthought. They will invest in review infrastructure at least as aggressively as they invest in generation tools. They will build governance models that are specific, layered, and adaptive, grounded in the evidence from SonarSource, Veracode, Apiiro, GitClear, CodeRabbit, and Google DORA about where AI-generated code actually fails. They will preserve human architectural judgement for the decisions that matter most while letting AI handle the work it does well. And they will measure success not by how much code they ship, but by how much of that code actually works, securely, reliably, and sustainably, in production.
The machines can write the code. But only humans can decide whether it should be trusted. That decision, made thousands of times a day across every engineering organisation on the planet, is the verification crisis of our age. Solving it is not optional.
References and Sources
GitHub Resources. “Human Oversight in Modern Code Review.” Published 29 July 2025. Author: Jared Bauer. https://resources.github.com/enterprise/human-oversight-modern-code-review
FinalRound AI. “Vibe Coding Failures That Prove AI Can't Replace Developers Yet.” https://www.finalroundai.com/blog/vibe-coding-failures-that-prove-ai-cant-replace-developers-yet
SonarSource. “Vibe, Then Verify: How to Navigate the Risks of AI-Generated Code.” Published 3 November 2025. https://www.sonarsource.com/blog/how-to-navigate-the-risks-of-ai-generated-code/
Veracode. “2025 GenAI Code Security Report.” Published July 2025. https://www.veracode.com/resources/analyst-reports/2025-genai-code-security-report/
CodeRabbit. “State of AI vs Human Code Generation Report.” Published 17 December 2025. https://www.coderabbit.ai/whitepapers/state-of-AI-vs-human-code-generation-report
Apiiro. “4x Velocity, 10x Vulnerabilities: AI Coding Assistants Are Shipping More Risks.” Published September 2025. https://apiiro.com/blog/4x-velocity-10x-vulnerabilities-ai-coding-assistants-are-shipping-more-risks/
Google Cloud / DORA. “2025 DORA State of AI-Assisted Software Development Report.” Published December 2025. https://dora.dev/research/2025/dora-report/
GitClear. “AI Copilot Code Quality: 2025 Data Suggests 4x Growth in Code Clones.” Published February 2025. https://www.gitclear.com/ai_assistant_code_quality_2025_research
StepSecurity. “s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware.” August 2025. https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware
Snyk. “Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident.” August 2025. https://snyk.io/blog/weaponizing-ai-coding-agents-for-malware-in-the-nx-malicious-package/
The Hacker News. “Malicious Nx Packages in 's1ngularity' Attack Leaked 2,349 GitHub, Cloud, and AI Credentials.” August 2025. https://thehackernews.com/2025/08/malicious-nx-packages-in-s1ngularity.html
Cursor / Aman Sanger. Cursor co-founder statement on one billion lines of accepted code per day. Reported by OfficeChai, 2025. https://officechai.com/ai/cursor-is-writing-1-billion-lines-of-code-a-day-co-founder-aman-sanger/
Nx Blog. “S1ngularity – What Happened, How We Responded, What We Learned.” August 2025. https://nx.dev/blog/s1ngularity-postmortem
Fortune. “AI-powered coding tool wiped out a software company's database in 'catastrophic failure.'” Published July 2025. https://fortune.com/2025/07/23/ai-coding-tool-replit-wiped-database-called-it-a-catastrophic-failure/
The Register. “Vibe coding service Replit deleted production database.” Published July 2025. https://www.theregister.com/2025/07/21/replit_saastr_vibe_coding_incident/
Pivot to AI. “'Guys, I'm under attack' – AI 'vibe coding' in the wild.” Published March 2025. https://pivot-to-ai.com/2025/03/18/guys-im-under-attack-ai-vibe-coding-in-the-wild/
BusinessWire. “CodeRabbit's 'State of AI vs Human Code Generation' Report Finds That AI-Written Code Produces ~1.7x More Issues Than Human Code.” Published 17 December 2025. https://www.businesswire.com/news/home/20251217666881/en/
Wiz Blog. “s1ngularity: supply chain attack leaks secrets on GitHub.” August 2025. https://www.wiz.io/blog/s1ngularity-supply-chain-attack
Tim Green UK-based Systems Theorist & Independent Technology Writer
Tim explores the intersections of artificial intelligence, decentralised cognition, and posthuman ethics. His work, published at smarterarticles.co.uk, challenges dominant narratives of technological progress while proposing interdisciplinary frameworks for collective intelligence and digital stewardship.
His writing has been featured on Ground News and shared by independent researchers across both academic and technological communities.
ORCID: 0009-0002-0156-9795 Email: tim@smarterarticles.co.uk
