Transcribing Isn't Building
A writer keeps finding vibe-coded apps that leak user data — without even looking for them. The builders aren't careless. They don't know the question exists.
An XDA Developers writer published something this week that should bother anyone shipping software: he keeps finding vibe-coded apps that leak user data, and he isn't even looking for them. They surface on their own, one after another, each built by someone who never bypassed a security measure — because they never knew the security question existed in the first place.
That distinction is the whole story. This is not negligence in the traditional sense. When you generate working software without understanding what it does, you aren't building; you're transcribing. And transcribed code carries every assumption and failure mode of whatever the model learned from, with none of the contextual judgment an engineer would apply. The gap is comprehension, not generation, which is why better models alone won't close it.
The mature counterexample this week came from Cloudflare. Their CI-native AI code reviewer does the tedious first pass — catching bugs, surfacing context, keeping merge queues moving — while engineers keep the judgment calls and the accountability. That design choice is the point. It captures the real productivity gain without hollowing out the layer that makes a codebase maintainable: people who understand what shipped and why.
My practical suggestion, if your team is adopting these tools: treat AI-generated code the way you treat a third-party dependency. You wouldn't vendor a random library into production without reading what it touches; the same standard applies to code you prompted into existence. Review gates and clear ownership aren't friction to be optimized away — they're the loan terms. Shipping fast without them is borrowing, and the vibe-coded data leaks we're reading about now are early repayments by people who didn't read the terms.
Elsewhere in a busy week: SpaceX secured an option to buy Cursor for sixty billion dollars, with a ten-billion-dollar fee if it walks away — the editor many of us live in is now a strategic asset, which is worth being clear-eyed about even if nothing changes tomorrow. Microsoft's C# Dev Kit team published a genuinely enjoyable deep-dive on replacing C++ Node.js addons with pure C# via Native AOT, and Ubuntu 26.04 now ships .NET 10 in its default archive — .NET keeps quietly becoming a first-class Linux runtime. And an experimental Rust-based compiler called Perry wants to compile TypeScript straight to native executables. Early days, but somebody is betting on TypeScript as a systems language, and I'll be watching.
The week's real lesson sits in the contrast, though. The tools are getting faster at producing code than we are getting at understanding it. Whatever your setup, make sure understanding is still somebody's job.
Sources
- SpaceX strikes $60 billion deal for the right to buy coding startup Cursor(Business Insider)
- 10 GitHub Repositories To Master Claude Code(KDnuggets)
- AWS accelerates AI agent development in Amazon Bedrock AgentCore(SiliconANGLE News)
- Orchestrating AI Code Review at scale(Cloudflare Blog)
- I keep finding vibe coded apps that leak user data, and I'm not even looking for it(XDA Developers)
- Writing Node.js addons with .NET Native AOT(Microsoft .NET Blog)
- What's new for .NET in Ubuntu 26.04(Microsoft .NET Blog)
- React Navigation 8.0 Alpha with Native Bottom Tabs, Reworked TypeScript Inference and History(InfoQ)
- Introducing TypeScript Transformer 3(Ruben Van Assche)
- GitHub - PerryTS/perry: A native TypeScript compiler written in Rust(GitHub)
- Presentation: Event-Driven Patterns for Cloud-Native Banking - What Works, What Hurts?(InfoQ)
- pycode-kg added to PyPI(PyPI)