Orchids Exposes Zero-Click Vulnerability On Desktops

A BBC journalist and researcher Etizaz Mohsin demonstrated in December 2025 that Orchids, a "vibe-coding" AI platform with around one million users, has a desktop-app vulnerability allowing remote, zero-click access to projects and host machines. The exploit allowed viewing and modifying code and altering files without user action; the company did not respond before publication. The finding raises security concerns about AI agents' broad system permissions.