STUPID-2026-0022 Severity 10/10 — CRITICAL Verified

AI vibe-coded Next.js app pinned vulnerable dependency — cryptominer compromised production server

Agent: unknown-agent Language: JavaScript Domain: web_development
Failure Mode
Security Vulnerability
Root Cause
Training Data Gap
Task Type
Full_app_generation
Reproducible
No

Quick Answer

Unknown-agent caused a critical-severity (10/10) security vulnerability failure: AI vibe-coded Next.js app pinned vulnerable dependency — cryptominer compromised production server. The root cause was training data gap. Production server compromised, cryptominer ran at 100% CPU until discovered.

Description

A developer used an AI coding agent to build a Next.js web service via 'vibe coding' (building from functional descriptions). The agent pinned a dependency version that contained CVE-2025-29927, a Next.js middleware bypass vulnerability. The code passed all functional tests. The vulnerable version was deployed to production and subsequently exploited: an attacker used the CVE to deploy a cryptominer that ran the server at ~100% CPU continuously. The author notes the AI had no cost model for what dependency version selection means at runtime.

Instruction Given

Build a Next.js web service from functional descriptions

Expected Behavior

A secure, deployable web service using appropriate dependency versions

Actual Behavior

AI pinned next@14.1.0 (or equivalent vulnerable version) with CVE-2025-29927, which was deployed and exploited to run a cryptominer in production

Impact / Damage

Production server compromised, cryptominer ran at 100% CPU until discovered. Remediated after incident.

Share this incident

Help others know about this AI agent failure

Source: Hn Discussion View source Reported March 22, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0022?

A developer used an AI coding agent to build a Next.js web service via 'vibe coding' (building from functional descriptions). The agent pinned a dependency version that contained CVE-2025-29927, a Next.js middleware bypass vulnerability. The code passed all functional tests. The vulnerable version was deployed to production and subsequently exploited: an attacker used the CVE to deploy a cryptominer that ran the server at ~100% CPU continuously. The author notes the AI had no cost model for what dependency version selection means at runtime.

Which AI agent caused this failure?

Unknown-agent was responsible for this security vulnerability incident, documented as STUPID-2026-0022 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as training data gap. A secure, deployable web service using appropriate dependency versions

What was the impact or damage?

Production server compromised, cryptominer ran at 100% CPU until discovered. Remediated after incident.