The Graveyard Ships at Midnight
Why vibe-coded projects die in silence, and real developers don't.
There is a rhythm to vibe coding projects on GitHub. A burst of commits over a weekend. A demo video. A Product Hunt post. Then nothing , branches unmerged, issues open, the README still reading "coming soon.", other features are still incomplete, MVP are only projects.
The graveyard ships at midnight and closes by noon.
This is not about discipline. It is structural. And once you see the structure, the outcome is obvious.
The mental model problem
Vibe coders are riding a wave of coherence the model generates. It looks like a system because LLMs are good at surface-level consistency. The functions sound right. The architecture feels complete.
Then something breaks outside the happy path.
And here is the problem: the project is not in their head. It is in the output. When debugging requires causal reasoning β why did this break, what changed, what does this actually do β there is nothing to fall back on. Re-prompting until the output changes is not debugging. It is lottery.
So the commits stop. The README stays at version zero. Laying low is not a personal failure. It is the rational response to being out of ammunition.
Real examples. Not theory.
Row Level Security was inverted across 170+ production apps. Authenticated users were blocked. Unauthenticated users had full access. The AI implemented access control β it just got the logic backwards. The happy path worked fine. A single targeted test would have caught it immediately. Nobody wrote the test.
Base44 β authentication bypass (July 2025)
Wiz Research discovered that two API endpoints β registration and OTP verification β required zero authentication. Any attacker with a public app_id (visible in every URL) could register as a user and access private applications. SSO enforcement bypassed entirely. The AI built the feature. Nobody audited whether it actually enforced what it was supposed to enforce.
Replit agent β production database wipe
The SaaStr founder documented Replit's AI agent deleting a production database despite explicit instructions not to make any changes. The instruction was understood. The scope was not. There was no human in the loop who could have caught it because the human had fully delegated the thinking.
cURL bug bounty β shut down after 6 years
Daniel Stenberg closed cURL's bug bounty in January 2025 after AI submissions hit 20% of all filings and the valid-rate collapsed to 5%. $86,000 in payouts. Six years of running it. Done, because the signal-to-noise ratio became unworkable.
tldraw β all external PRs auto-closed
Steve Ruiz went further than anyone: tldraw now auto-closes every external pull request. Mitchell Hashimoto banned AI-generated code from Ghostty entirely. The Flux CD core maintainer described it plainly: "AI slop is DDoSing OSS maintainers."
The numbers are not kind
A December 2025 CodeRabbit analysis of 470 open-source GitHub pull requests found:
- AI co-authored code had 1.7Γ more major issues than human-written code
- Misconfigurations were 75% more common
- Security vulnerabilities appeared at 2.74Γ the rate
GitClear's longitudinal study of 211 million lines of code changes from 2020 to 2024 found that code duplication quadrupled, refactoring dropped from 25% of changed lines to under 10%, and code churn nearly doubled. The short term looks fast. The long term is debt.
Why real developers produce qualit even with AI
The difference is not that they avoid AI tools. Linus Torvalds used Google Antigravity to vibe-code a component of AudioNoise in early 2026.
Tower of Time a shipped, maintained tower defense game had 95% of its codebase written by AI.
The difference is that a developer who understands the domain uses AI to execute a mental model they already have. The LLM becomes a fast typist, not the architect.
When something breaks, they can reason about why. They are not dependent on the AI to diagnose problems the AI created. That is the gap.
If an LLM wrote every line of your code, but you've reviewed, tested, and understood it all, that's not vibe coding β that's using an LLM as a typing assistant. β Simon Willison
The compounding goes the wrong way
Vibe coding looks faster at the start. It is. A weekend and you have something that resembles a product.
But every feature added without architectural understanding makes the next feature harder. Every bug fixed by prompting rather than reasoning increases the odds of introducing a new one. The system grows more brittle, the developer's ability to reason about it does not improve, and eventually the cost of the next change exceeds the developer's ability to pay it.
Real developers who actually use AI compound the other way. Each session improves their understanding of where the model is reliable and where it hallucinates. They get faster and more accurate over time.
What this means practically
Before you vibe-code a feature, you should be able to explain what it does to someone who has never seen the codebase. Not recite the AI's explanation β your explanation. The one that would survive a follow-up question.
If you cannot, you are not using AI as a typing assistant. You are outsourcing the thinking itself. And when the thinking fails β and it will, in production, always β you will have no way to know, and no way to fix it.
The graveyard ships at midnight. The projects that last were built by people who stayed up thinking about why.
Sources: CodeRabbit (Dec 2025, 470 OSS PRs) Β· GitClear (2020β2024, 211M lines) Β· Wiz Research (Base44, July 2025) Β· Autonoma (7 production incidents, 2025β2026) Β· InfoQ / CEU research (Feb 2026) Β· Wikipedia, Vibe Coding (June 2026) Β· Simon Willison
