Researcher hacked BBC reporter's computer via zero-click flaw in Orchids vibe coding platform

Feb 2026

Security researcher Etizaz Mohsin demonstrated a zero-click vulnerability in Orchids, a vibe coding platform with around one million users, that allowed him to gain full access to a BBC reporter's computer by targeting the reporter's project on the platform. Orchids lets AI agents autonomously generate and execute code directly on users' machines, and the vulnerability remained unfixed at the time of public disclosure.

Incident Details

Perpetrator:Developer

Severity:Facepalm

Blast Radius:Approximately one million Orchids users potentially exposed; vulnerability unfixed at time of reporting

Tech Stack

OrchidsAI coding agent

References

BBC: AI coding platform's flaws allow BBC reporter to be hacked ↗InformationWeek: Zero-click hack exposes flaw in Orchids vibe coding platform ↗