The AI code debate just got data.
In a new whitepaper, CodeRabbit quietly analyzed hundreds of open-source PRs and found AI-assisted code ships with measurably more security defects across a range of categories.
This week also saw a massive WhatsApp API attack (the lotusbail npm) that continues to remind us that developer trust remains the most exploitable vulnerability.
Finally, there was some end of year deal-making, totalling $11B with some massive acquisitions (most notably Windsurf being acquired by OpenAI and ServiceNow buying Armis for over $7 billion).
CodeRabbit's State of AI vs Human Code Generation Report analyzed 470 pull requests across open-source GitHub repositories: 320 AI-co-authored and 150 human-only. The data is stark:
Overall Quality - 10.83 issues per PR versus 6.45 for human-only (1.7× more) - Critical issues: 1.4× more (341 vs 240 per 100 PRs) - Major issues: 1.7× more (447 vs 257)
Security - XSS vulnerabilities: 2.74× more - Insecure object references: 1.91× more - Improper password handling: 1.88× more
Logic & Correctness (biggest gap) - Incorrect concurrency control: 2.29× more - Null-pointer risks: 2.27× more - Algorithm/business logic errors: 2.25× more
Code Quality - Readability issues: 3.15× more (98 vs 31 per 100 PRs) - Excessive I/O operations: 7.9× more - Formatting problems: 2.66× more
It's more critical than ever to use AI on the security side to keep up.
The lotusbail npm package accumulated 56,000+ downloads by delivering functional WhatsApp API capabilities. It also exfiltrated authentication credentials, session tokens, and message data to attacker infrastructure.
Literally the package worked exactly as documented while stealing everything.
This wasn't a typosquatting attack or abandoned package hijack. Developers installed lotusbail because it provided useful functionality. Traditional SCA tools scanning for known vulnerable dependencies would have cleared it. The malicious code wasn't a vulnerability; it was intentional functionality hidden alongside legitimate features.
The same week, WebRAT malware spread via fake GitHub exploit repositories targeting security researchers.
Attackers understand the trust patterns in developer and security communities well enough to weaponize them.
Three acquisitions this week totaled over $11 billion. ServiceNow acquired Armis for $7.75B at 11.5× revenue to expand security and risk capabilities. OpenAI acquired Windsurf (Codeium) for $3B to strengthen AI coding assistant infrastructure. Checkmarx purchased Tromzo to "help find and fix code problems faster."
The ServiceNow-Armis deal focuses on asset visibility rather than AppSec specifically, but the pattern across all three strategic buyers is that they believe security automation capabilities justify premium valuations.
When platform vendors pay double-digit revenue multiples, they're betting on where the category is headed.
This week: 11 disclosed | 3 actively exploited | 2 zero-days
Cisco Secure Email Zero-Day - Cisco Secure Email Appliances Status: Zero-day, Actively exploited Email security appliances rooted and backdoored via unpatched zero-day Source
HPE OneView RCE - HPE OneView Status: Patch available Remote code execution vulnerability in enterprise management platform Source
CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 - Microsoft Windows (Patch Tuesday) Status: Actively exploited Part of 157 CVEs addressed in Patch Tuesday, three actively exploited Source
CVE-2025-59374 - ASUS Live Update Status: Added to CISA KEV CISA warning issued despite lower urgency assessment Source
Supply Chain Attack via TypeScript Packages - Multiple platforms (X/Twitter, Vercel, Cursor, Discord) Status: Disclosed Hundreds of companies affected through supply-chain vector Source
SAP CAR Archive Parsing Flaws - SAPCAR Status: PoC available Four local privilege escalation bugs in SAR archive parsing Source
List-Unsubscribe SSRF/XSS - Email handling implementations Status: Disclosed Email header converted into SSRF/XSS gadget Source
lotusbail npm Malware - npm ecosystem Status: Package removed 56,000+ downloads before discovery Source
WebRAT via Fake GitHub Exploits - GitHub repositories Status: Active campaign Targeting security researchers via fake PoC repos Source
WAF Bypass Research - Multiple WAF vendors Status: Research disclosed More than half of public vulnerabilities bypass leading WAFs Source
Session Token Theft Techniques - MFA implementations Status: Educational Session tokens give attackers shortcut around MFA Source
• Can Chatbots Craft Correct Code? - Deep technical analysis of AI code generation quality from security research firm, adds methodology depth beyond CodeRabbit data.
• How We Pwned X (Twitter), Vercel, Cursor, Discord Through Supply-Chain Attack - Technical breakdown of supply chain attack affecting major platforms, demonstrates scale of package ecosystem risk beyond npm lotusbail.
• Rest In Peace IBM X-Force Vulnerability Database - Industry infrastructure shutdown with implications for vulnerability intelligence workflows.
• Docker Makes 1,000 Hardened Images Free and Open Source - Infrastructure security improvement available immediately, practical impact for container security.
• More Than Half of Public Vulnerabilities Bypass Leading WAFs - Research quantifying WAF effectiveness gap, relevant to defense-in-depth strategy discussions.
• Checkmarx Acquisition of Tromzo Accelerates Plan to Apply AI to Application Security - Detailed coverage of Checkmarx-Tromzo deal beyond brief mention in M&A section, includes integration strategy.