Tech

BBC Hacker Demonstrates Zero-Click Flaw in Orchids AI Coding Platform

BBC reports a significant, unfixed cyber-security risk in Orchids, a popular AI/vibe-coding platform. Security researcher Etizaz Mohsin demonstrated a zero-click flaw that could access a BBC reporter's project and potentially take control of the reporter's computer.

📅 February 13, 2026
⏱️ 2 min read
BBC Hacker Demonstrates Zero-Click Flaw in Orchids AI Coding Platform

Key Takeaways

  • Orchids faces a credible, unfixed zero-click vulnerability that could access user projects and compromise devices.
  • Etizaz Mohsin demonstrated the flaw; Orchids did not provide comment to BBC.
  • Orchids claims 1 million users and lists Google, Uber, and Amazon as customers, signaling enterprise exposure.
  • Security experts warn about gaps in discipline, documentation, and testing practices for AI coding tools.
  • The risk could span multiple vibe-coding platforms, not just Orchids.

People Involved

  • Etizaz MohsinSecurity researcher
  • Kevin CurranSecurity expert, Ulster University
  • Karolis ArbaciauskasSecurity expert, NordPass

Entities Involved

  • OrchidsSan Francisco-based AI/vibe-coding platform central to the story
  • GoogleEnterprise user listed by Orchids
  • UberEnterprise user listed by Orchids
  • AmazonEnterprise user listed by Orchids
  • NordPassSecurity company cited for expert guidance
  • Ulster UniversityAcademic institution cited for expert warnings
  • BBCPublisher/reporting organization of the investigation

MarketMoodz Analysis

This underscores a broader risk for developers, publishers, and enterprise buyers who rely on AI-assisted coding tools. Security gaps in zero-click attack surfaces can translate into compromised repositories, misused credentials, and sensitive data exposure, potentially disrupting product cycles and increasing vendor risk premiums for tool adoption.

For investors, this fits into a longer arc of vendor risk in AI tooling, where audits, secure-by-design practices, and independent risk assessments become differentiators. Historically, heightened focus on safety and governance in AI has accelerated demand for controls and certifications, even as it complicates procurement for engineering teams.

Going forward, watch for Orchids' response and any independent security validations, potential enterprise pullbacks, and regulatory scrutiny around auto-generation platforms. The incident could catalyze more rigorous risk management standards across AI coding tools and influence which vendors win large enterprise contracts.

Source: Original Article

Get AI-Powered Market Insights

Stay ahead of market-moving events with our real-time analysis and stock ratings.

Start Your Free Trial