AI Slop and the Vulnerability Treadmill (redmonk.com)

Recent months have seen a surge in software vulnerabilities attributed to AI advancements, creating significant challenges for security teams. Key incidents include React’s critical CVE disclosure, multiple compromises of Aqua Security’s Trivy, and a backdoored Axios npm package, all highlighting how AI-generated code is introducing flaws faster than traditional security measures can manage them. Researchers have noted a striking increase in CVEs linked to AI coding tools, with more vulnerabilities identified in March 2026 than in all of 2025. This trend is attributed to attackers using AI for sophisticated social engineering, complicating the already strained relationship between open source maintainers and the quality of contributions. The implications for the AI/ML community are profound, as the influx of AI-generated vulnerability reports overwhelms bug bounty programs, hampering the ability of security teams to assess genuine threats. The cost to generate fictitious reports has plummeted, while the cost to verify them remains high, resulting in a resource drain for organizations. Furthermore, major tech players are responding with innovative solutions, like Anthropic’s Project Glasswing, which aims to bolster vulnerability detection in the open-source community. This crisis underscores a crucial need to revisit incentive structures within the ecosystem to foster genuine contributions and enhance security in the face of rapidly evolving AI technologies.