AI Programming: "National Carnival" vs "Mountains of Crap Crisis"

AI enables everyone to write code, but no one tells you what to do after the code is written.

On April 6, The New York Times reporter Mike Isaac and Erin Griffith published a piece revealing another side of the widespread adoption of AI programming tools: code overload.

After a financial services company introduced the AI programming tool Cursor, the monthly output of code jumped from 25k lines to 250k lines—an increase of 10x. Coming along with it was a backlog of 1 million lines of code awaiting review. Joni Klippert, co-founder and CEO of the security startup StackHawk, said: “They simply can’t keep up with the growth in code delivery volume, along with the ensuing surge in vulnerabilities.”

This isn’t an isolated case—it’s a new reality the entire industry is facing.

“Code factory” blows up

In November last year, Anthropic and OpenAI upgraded the underlying models of their programming tools Claude Code and Codex, respectively. According to reports, this upgrade turned AI programming agents from an “occasionally useful assistant” into a “fully automated code-generation machine”—with only a small amount of human guidance, the AI could complete programming work that previously took weeks in an extremely short time.

A Google survey from September 2025 showed that 90% of software developers are already using AI to assist their work, and 71% of programmers are using AI to write code.

The explosion in code output has brought a thorny question: who will review it?

Replit president and AI lead Michele Catasta was blunt about it: “Everyone in the company has turned into a programmer; that’s both a blessing and a curse.”

This year, Meta CTO Andrew Bosworth wrote in an internal memo: “Projects that once required hundreds of engineers can now be done by a few dozen people. Work that once took months can now be wrapped up in a few days.” He added that AI has a “far-reaching” impact on organizations like Meta.

Tido Carriero, head of engineering, product, and design at Cursor, put it even more directly: “Software development factories, to some extent, have already collapsed, and we’re trying to reassemble these parts.”

Security vulnerabilities: the cost being ignored

While code volume has surged, security review capabilities have not kept pace.

According to Tencent Technology, in May 2025, a Replit employee named Matt Palmer scanned 1,645 website applications created on the Vibe Coding platform Lovable and found that 170 of them (about 10.3%) had serious security vulnerabilities—anyone could access users’ databases without logging in, obtaining names, email addresses, financial information, and API keys.

Palantir engineer Daniel Asaria extracted personal debt amounts, home addresses, and sensitive prompt terms from multiple Lovable demo applications in just 47 minutes.

Escape, a security research company, then conducted a larger-scale scan of more than 5,600 Vibe Coding applications and found over 2,000 security vulnerabilities, more than 400 exposed keys, and 175 cases of personal privacy data leaks, involving medical records and bank account numbers. And the creators of these applications largely have no security knowledge.

Joe Sullivan, an advisor at Silicon Valley venture capital firm Costanoa Ventures, said: “Even if you add up the world’s application security engineers, it still doesn’t meet the needs of U.S. enterprises.” He said that in the large companies he has encountered—if they can hire people—each one would be willing to add another 5 to 10 people to these roles.

Sullivan also pointed to a more隐蔽 risk: AI programming tools run better on local laptop computers, which is causing more and more engineers to download the entire company codebase to their personal machines. “This is a crazy risk no one thought about six months ago—now they’re trying to figure out how to deal with it.”

Open-source community: the “DDoS attack” of junk PRs

The impact of AI-generated code is especially evident in the open-source community.

According to Tencent Technology, cURL founder Daniel Stenberg shut down a six-year bug bounty program in January 2026. The reason wasn’t the budget—it was that AI-generated fake vulnerability reports drowned the maintenance team. In the three weeks before the shutdown, cURL received 20 submissions, none of which were confirmed to be real vulnerabilities. Stenberg revealed at FOSDEM 2026 that before 2025, about one-sixth of cURL’s security reports were valid; by the end of 2025, that ratio had dropped to one-twentieth or even one-thirtieth. He called this phenomenon an “DDoS attack on open source.”

Steve Ruiz, founder of the digital whiteboard startup tldraw, told The New York Times that starting last autumn he began noticing a large number of anomalous contributors—some people would walk away suddenly at the very last step after completing all the work, others would ignore clear instructions, and others would batch-submit junk updates. He judged they were most likely AI bots, and shut down the external contribution channel this January. “The risk to the codebase is very high,” he said, “and this shock could put teams, communities, and the project’s reputation in danger.”

Ghostty creator Mitchell Hashimoto also banned all unreviewed AI-generated code contributions in early 2026 and rolled out a trust-based Vouch system.

Xavier Portilla Edo, head of Voiceflow infrastructure, offered a quantitative assessment: “In AI-generated PRs, only one out of ten is reasonable; the other nine waste maintainers’ time.”

In February 2026, GitHub introduced two new settings that allow a repository to completely disable Pull Requests, or limit them to only collaborators.

And when the platform itself starts offering a “shutoff valve,” it shows the problem has become structural. A senior AI engineer at a major company summarized it to Tencent Technology: “When developers submit Vibe junk PRs, they’re坑 open-source maintainers; when security people submit Vibe junk vulnerabilities, they’re坑 vulnerability reviewers. They don’t fully respect anyone else’s time.”

Illusion of efficiency: it feels faster, but it’s actually slower

Do AI programming tools really improve efficiency? The data gives an unexpectedly different answer.

According to Tencent Technology, in a 2025 random controlled experiment published by METR (the Model Evaluation and Threat Research organization), 16 senior open-source developers completed 246 real tasks in familiar large code repositories, and were randomly assigned whether they could use AI tools. Result: the developers using AI tools actually took 19% longer to complete the tasks.

More concerning is the cognitive bias: before the experiment, these developers expected AI would make them 24% faster, and even after the experiment they still believed they were 20% faster.

Meanwhile, a 2025 Stack Overflow developer survey shows that developers’ trust in AI accuracy dropped from 40% the previous year to 29%, and 46% of developers explicitly said they don’t trust the accuracy of AI tools.

The surge in application volume confirms the scale of this “efficiency illusion.” According to Tencent Technology citing Sensor Tower data, the number of iOS apps published in the U.S. in December 2025 grew 56% year over year, and in January 2026 it grew 54.8% year over year—both the fastest growth rates in four years. Appfigures data shows that the number of new apps submitted to the App Store in 2025 reached 557k, up 24% from 2024, the largest wave of new additions since 2016.

And Apple has removed the Vibe Coding app Anything from the App Store (the app raised $11 million at a $100 million valuation) and froze updates for comparable tools such as Replit and Vibecode, for months.

Solving AI-generated problems with AI

In the face of code overload, the answers tech companies are giving still amount to using more AI.

Both Anthropic and OpenAI have launched AI-driven code review tools to automatically detect errors. In December last year, Cursor acquired a code-review bot startup, Graphite, and integrated its technology into the product to help engineers prioritize the most sensitive code review needs.

But whether this path can work remains unclear.

According to Tencent Technology, in January 2026, Tailwind CSS creator Adam Wathan disclosed: although Tailwind’s monthly downloads reached 75 million times, document traffic has fallen by about 40% compared with early 2023, and revenue dropped by nearly 80%. “Documentation is the only channel people use to discover our commercial products. Without customers, we can’t sustain the development of the framework.”

RedMonk analyst Kate Holterhoff named this phenomenon “AI Slopageddon” (AI junk apocalypse). And as Tencent Technology put it: the ‘shit mountain crisis’ of AI code is only just beginning.

Risk warning and disclaimer

        The market is risky; invest with caution. This article does not constitute personal investment advice, and it does not take into account any specific investment objectives, financial situations, or needs of individual users. Users should consider whether any opinions, viewpoints, or conclusions in this article align with their specific circumstances. Invest accordingly at your own risk.