A non-technical entrepreneur in a sun-drenched cafe just 'vibe coded' a nanny-finding app in minutes, and the professional engineering world is having a nervous breakdown. This is the era of 'Vibe Coding,' where if you can describe it, AI can build it. But while the amateurs are celebrating their new startups, the actual infrastructure of the internet is springing leaks.

On May 18, the digital vaults at GitHub were picked clean. A compromised version of the Nx Console extension for VS Code was live on the official marketplace for less than 20 minutes, but that was enough. Attackers used a stolen token to exfiltrate 3,800 internal repositories from GitHub itself.

It is the ultimate supply chain nightmare. Thousands of users installed the malicious extension, version 18.95.0, enabling a silent exfiltration of source code and credentials. The attack was swift, leveraging a stolen contributor’s token to push a malicious orphan commit that looked perfectly normal to the untrained eye.

This column notes, without pretending to connect the dots, that the rise of the amateur 'vibe coder' is happening exactly as the pros lose their keys to the kingdom. While non-techies use AI to navigate grocery stores and schedule playdates, the fortress of software development is being breached by anyone with a stolen token and a few minutes of marketplace access.

The thread linking these, though stated in no filing, is the total surrender of technical skill to the machine. We are trading the security of the professional for the 'vibe' of the amateur, and GitHub just paid the first installment of the bill. It turns out that when everyone is a developer, no one is actually safe.