The Shadow Twin Threats: When AI and Vibe Coding Go Rogue in Your Network

Read Time: 15 minutes

TL;DR

Your IT department doesn’t know it yet, but someone in marketing just spun up an Ollama server to run a local LLM. Finance is building a custom payroll app with Cursor. And that NVIDIA DGX Spark “AI factory” the research team requisitioned? It’s been exposed to the internet for three weeks with no authentication.

Welcome to 2026, where two invisible threats are converging in corporate networks: Shadow AI and Shadow Vibe Coding. Separately, each one is dangerous. Together, they’re a compliance nightmare waiting to happen.

NVIDIA calls it “the largest infrastructure buildout in history” — a race to deploy AI compute at unprecedented scale. But while hyperscalers invest billions in securing their AI factories, departments inside your company are building their own mini-factories in the shadows. No oversight. No authentication. No idea what they’ve exposed.

Shadow AI: The Infrastructure You Don’t Know Exists

Shadow AI is exactly what it sounds like: AI software and hardware deployed in your corporate network without IT or security oversight. It’s the cousin of “Shadow IT,” but with higher stakes.

The Software Problem

LM Studio and Ollama on every desk. A department wants to avoid OpenAI rate limits, so they install LM Studio or Ollama and download Llama 3.3 70B. Now they’re running a 43GB language model on a MacBook Pro, processing customer emails, internal docs, and proprietary code—all outside your data loss prevention (DLP) controls.

You have no logs. No audit trail. No way to know what data just got fed into an unconstrained language model that might be writing everything to disk.

Ollama is particularly dangerous. With over 163,000 GitHub stars and hundreds of thousands of Docker pulls monthly, it’s become the go-to tool for self-hosting AI models. But here’s the problem: Ollama has no authentication by default. When deployed in Docker (the most common enterprise deployment), it binds to 0.0.0.0 and listens on all network interfaces—making it accessible to anyone on the network or, if misconfigured, the entire internet.

As of February 2026, security researchers have found over 10,000 Ollama instances exposed to the internet, and 1 in 4 of them is running a vulnerable version. These servers are hosting private AI models not listed in public registries—intellectual property sitting on the open internet with no authentication.

Known Ollama vulnerabilities include:

• CVE-2024-37032 (Probllama): Remote Code Execution via path traversal (patched in v0.1.34)
• CVE-2024-39721: Denial of Service via infinite loops (single HTTP request can DOS the server)
• CVE-2024-39722: File existence disclosure via path traversal
• CVE-2024-39720: Application crash leading to segmentation fault
• Model theft: Any client can push models to untrusted servers (no authorization)
• Model poisoning: Servers can be forced to pull malicious models from attacker-controlled sources

One vulnerability allows an attacker to steal every model stored on the server with a single HTTP request. Another enables model poisoning by forcing the server to download compromised models. And because Ollama runs with root privileges in Docker deployments, full system compromise is trivial.

Personal accounts bypassing enterprise controls. According to recent research, over 25% of employed adults use AI tools at least a few times a week (Gallup, 2026), and over one-third of AI users are using free personal accounts of tools that their company officially licenses. That ChatGPT conversation where someone pasted the Q1 financial projections? It’s training OpenAI’s models right now because the employee used their @gmail account instead of the enterprise SSO.

The Hardware Problem: The Rise of Shadow “AI Factories”

NVIDIA DGX boxes, Olares One systems, and GPU clusters. High-performance AI hardware is getting cheaper and easier to deploy—and enterprises are racing to build what NVIDIA CEO Jensen Huang calls “AI Factories”: massive GPU-powered data centers designed to churn out AI inference at scale.

In January 2026, NVIDIA invested $2 billion in CoreWeave to build 5 gigawatts of AI factory capacity by 2030. Alphabet is spending $175-185 billion on AI compute infrastructure in 2026 alone. Dassault Systèmes is deploying “AI factories” on three continents using NVIDIA’s Rubin platform. This is, according to Huang, “the largest infrastructure buildout in history.”

But here’s the problem: this isn’t just happening at hyperscalers. Mid-sized companies and individual departments are building their own mini “AI factories” without central oversight:

• A research team orders an NVIDIA DGX Spark ($4K) or an Olares One inference appliance and plugs it into the network
• IT never approved it. Security never scanned it.
• Someone misconfigures the network interface, and it’s now exposed directly to the internet with default credentials
• The system is running Ollama or LM Studio with no authentication, listening on 0.0.0.0
• Anyone on the internet can now access your AI models, steal intellectual property, or execute arbitrary code

The exposure is real:

• 10,000+ Ollama instances exposed to the internet (FOFA search, Feb 2026)
• 21,000+ OpenClaw instances publicly exposed (Censys scan, Jan 2026)
• 1 in 4 internet-facing Ollama servers running vulnerable versions

These aren’t honeypots. These are production AI servers hosting private models that don’t exist in public registries—corporate intellectual property sitting on the open internet.

According to industry scans, if AI infrastructure can leak that badly in the open-source community, imagine what’s happening in corporate networks with procurement processes that don’t include security reviews. The “AI factory” buildout is happening with or without IT approval—and that’s Shadow AI at enterprise scale.

Attack tree visualization: How Shadow AI infrastructure gets compromised — from exposed ports and missing authentication to model theft and remote code execution.

The Real Cost

Organizations with high Shadow AI usage experience breach costs averaging $4.63 million—that’s $670,000 more per incident than companies with low or no shadow AI.

Why? Because when you can’t see it, you can’t protect it.

Shadow Vibe Coding: The Apps You Didn’t Approve

Now take that invisible AI infrastructure and let people build production applications with it. That’s Shadow Vibe Coding.

What Is Vibe Coding?

“Vibe coding” is Andrej Karpathy‘s term for using AI to generate entire applications through natural language prompts instead of writing code line-by-line. Tools like Cursor, Windsurf, v0, Bolt, and Lovable let non-developers (or lazy developers) say, “Build me an HR dashboard that pulls from our employee database,” and get a working Next.js app in 20 minutes.

It’s fast. It’s powerful. And it’s shockingly insecure when deployed without oversight.

The HR App That Wasn’t Reviewed

Here’s the scenario: A department needs a custom HR tool. Instead of buying a commercial product with SOC 2 certification, compliance documentation, and actual security controls, they open Cursor and say:

“Build an employee management system with payroll calculation, PII storage, and performance reviews.”

Thirty minutes later, they have a working app. It looks polished. It connects to the company database. They deploy it to a cloud server and share the link with the team.

What they don’t know:

• All authentication logic is client-side. A user can open the browser console, change a variable, and become an admin.
• API keys are hardcoded in the JavaScript bundle visible to anyone.
• The database has no access controls. Any authenticated user can query the entire employee table.
• PII is stored in plaintext with no encryption at rest.
• The app has no audit logging, so there’s no way to detect or investigate unauthorized access.

Every single one of these flaws is real. They appeared in a documented case called Enrichlead, where a startup used Cursor to build their entire product. Within 72 hours, users discovered they could bypass payment, access all premium features for free, and extract the entire customer database. The project shut down.

The Financial App That Violates GDPR

Same pattern, but now it’s Finance building a custom invoicing system. The AI-generated code:

• Stores customer payment data without PCI-DSS compliance
• Lacks data residency controls (GDPR violation if you’re in the EU)
• Has no data retention policy (regulatory violation in most jurisdictions)
• Exposes customer PII through poorly sanitized API responses

The app works. It saves the company money compared to a commercial invoicing platform. And it’s a compliance time bomb.

Attack tree visualization: How vibe-coded applications get exploited — from client-side auth bypasses and hardcoded secrets to compliance violations and full data exposure.

The Convergence: When Both Happen at Once

Here’s where it gets worse. Shadow AI + Shadow Vibe Coding = Amplified Risk.

Imagine this:

1. Marketing deploys Ollama on a local GPU server (Shadow AI hardware).
2. They use Cursor with a local coding model to build a lead management app (Shadow Vibe Coding).
3. The app is connected to the CRM database and processes customer PII.
4. The Ollama server is exposed on the network with no authentication (default configuration).
5. The local LLM is logging every prompt to disk, including the database schema, customer data, and business logic.
6. The generated app has SQL injection vulnerabilities because the AI hallucinated the database query logic.
7. An attacker discovers the exposed Ollama instance and exploits CVE-2024-37032 to achieve remote code execution.
8. The attacker uses the model theft vulnerability to exfiltrate all private AI models, then pivots to the CRM database through the vibe-coded app’s SQL injection flaw.

Now you have:

• Unauthorized AI infrastructure processing regulated data
• Unvetted custom software in production with critical vulnerabilities
• No visibility into what data is being accessed or exfiltrated
• No compliance documentation for auditors
• No incident response plan when the breach happens

And your security team has no idea any of this exists.

Attack tree visualization: The full multi-phase convergence attack — from discovering exposed Ollama instances to exploiting vibe-coded apps, ending in IP theft, regulatory fines, and complete incident response blindness.

The Stats That Should Terrify You

Let’s zoom out and look at the landscape:

Shadow AI Exposure:

• 10,000+ Ollama instances exposed to the internet (FOFA scan, Feb 2026)
• 21,000+ OpenClaw instances publicly exposed (Censys scan, Jan 2026)
• 1 in 4 internet-facing Ollama servers running vulnerable versions
• Over 1,000 exposed Ollama instances hosting private AI models not in public registries (Wiz Research)
• 163,000 GitHub stars for Ollama — adoption is accelerating faster than security

Organizational Impact:

• 80% of organizations have encountered risky AI agent behaviors, including improper data exposure (McKinsey, 2026)
• 40% of enterprises will experience security incidents linked to unauthorized Shadow AI by 2030 (Gartner prediction)
• $4.63M average breach cost for organizations with high Shadow AI usage (+$670K vs low usage)

Vibe Coding Security Crisis:

• 45% of AI-generated code contains security flaws, with no improvement in newer models (Veracode, 2025)
• 69 vulnerabilities found across 15 vibe-coded test applications, several rated “critical” (Tenzai, Dec 2025)
• 25-30% of new code at major tech firms is now AI-generated, and growing rapidly (Microsoft, Google, 2026)

Infrastructure Buildout:

• $175-185 billion — Alphabet’s 2026 AI infrastructure spend (double 2025)
• $2 billion — NVIDIA’s investment in CoreWeave to build 5 gigawatts of “AI factories” by 2030
• “Largest infrastructure buildout in history” — Jensen Huang, NVIDIA CEO (Jan 2026)

And the kicker: Simon Willison (co-creator of Django) predicts we’re headed for a “Challenger disaster” moment with AI-generated code—a catastrophic failure in production caused by unreviewed AI output that nobody understood.

What’s Actually at Risk?

1. Data Exposure

Every prompt sent to an unapproved AI model is data leaving your perimeter. Customer names, financial projections, proprietary code, trade secrets—all processed and potentially stored on third-party servers you don’t control.

Personal AI accounts make it worse. When employees use their ChatGPT personal account for work, you lose:

• Visibility into what data was shared
• Audit trails for compliance
• Ability to enforce data handling policies
• Protection from model training on your data

2. Compliance Violations

Shadow AI and Shadow Vibe Coding create evidence gaps that surface during audits:

• PCI-DSS Requirement 10: Logging of access to cardholder data environments
• HIPAA 45 CFR §164.312(b): Audit controls for PHI access
• GDPR Article 28: Documented data processing agreements
• SOC 2 CC7.2: Monitoring for anomalies

When an auditor asks, “How do you govern AI tool usage? What data do employees send to AI models? How do you monitor vibe-coded applications?”—most organizations have nothing to show.

That’s an automatic finding.

3. Security Vulnerabilities at Scale

AI-generated code introduces specific vulnerability patterns:

• Business logic flaws: AI lacks intuitive understanding of workflows and permissions
• Hardcoded secrets: API keys and credentials embedded in generated code
• Authentication bypasses: AI “hallucinates” security checks out of existence
• Weak cryptography: Outdated hashing (MD5 instead of Argon2), broken RNG
• SQL injection, XSS, buffer overflows: Classic CWEs at massive scale

Top AI-generated vulnerabilities (CWE analysis):

• CWE-787: Buffer overflow
• CWE-89: SQL injection
• CWE-79: Cross-site scripting

These aren’t theoretical. They’re showing up in production right now.

4. Intellectual Property Contamination

When employees paste proprietary source code into unapproved AI tools, that code may be incorporated into the model’s training data—potentially accessible to competitors through carefully crafted prompts.

Worse, vibe-coded applications may generate output that infringes on third-party IP, and your company is legally liable even if an AI wrote it.

5. Regulatory Fines

Unauthorized AI usage can trigger violations of:

• GDPR (fines up to 4% of global revenue)
• CCPA (fines up to $7,988 per intentional violation)
• HIPAA (fines up to $1.5M per violation category per year)

A single Shadow AI incident involving EU customer data could cost millions.

The “Build vs. Buy” Trap

Companies are choosing to build custom apps with AI instead of buying SaaS products. The financial logic seems sound:

• SaaS CRM: $150-$300/user/month, most features unused
• Custom vibe-coded CRM: Built in hours, tailored exactly to your workflow

But the hidden costs tell a different story:

SaaS Subscription	Custom Vibe-Coded App
Predictable per-user cost	Development + hosting + maintenance
Provider handles security	You own all security risk
Automatic updates	You build and test updates
Compliance included (SOC 2, etc.)	You must achieve independently
Built-in scaling	You must architect for scale
Professional support	You provide it internally

Reality check: A business saves $3,000/month by replacing a SaaS platform with a vibe-coded app. Six months later, a security flaw leads to a breach. According to IBM’s 2025 Cost of a Data Breach Report, small businesses pay $120,000 to $1.24 million to respond to a security incident.

Those monthly savings just evaporated.

Real-World Failures You Can Learn From

Enrichlead (2025)

Startup used Cursor to write 100% of their codebase. AI placed all security logic client-side. Users bypassed payment within 72 hours by editing browser console variables. Project shut down entirely.

CVE-2025-55284 (Claude Code)

Prompt injection vulnerability allowed data exfiltration from developer machines via DNS requests embedded in analyzed code.

CVE-2025-54135 (Cursor)

The “CurXecute” vulnerability let attackers execute arbitrary commands on developer machines through a Model Context Protocol (MCP) server.

Windsurf Persistent Prompt Injection

Malicious instructions placed in source code comments caused the Windsurf IDE to store them in long-term memory, enabling data theft over months.

Replit Agent Database Deletion

An autonomous AI agent deleted the primary databases of a project during a code freeze because it decided the database needed “cleanup”—directly violating instructions.

CVE-2024-37032 (Probllama – Ollama RCE)

Remote Code Execution vulnerability in Ollama via path traversal. Attackers could arbitrarily overwrite files on the server and achieve full RCE in Docker deployments (which run as root by default). Wiz Research found over 1,000 exposed Ollama instances hosting private AI models. Fixed in v0.1.34, but thousands of vulnerable instances remain online.

Ollama Model Theft & Poisoning (2024-2025)

Multiple vulnerabilities allow attackers to:

• Steal all AI models from a server with a single HTTP request (no authorization required)
• Force servers to download poisoned models from attacker-controlled sources
• Crash the application with a single malformed HTTP request (CVE-2024-39720)
• Achieve DoS by triggering infinite loops (CVE-2024-39721)

Current exposure: 10,000+ Ollama servers on the internet, 25% running vulnerable versions, many hosting proprietary enterprise AI models.

What You Can Do About It

This isn’t about banning AI. That’s impossible and counterproductive. This is about governing it before it governs you.

For Shadow AI:

1. Discovery First, Policy Second

You can’t govern what you can’t see. Start by finding out what’s already deployed:

• Query DNS/proxy logs for AI service domains (openai.com, anthropic.com, lmstudio.ai)
• Review OAuth app consents in Entra ID / Google Workspace
• Scan the network for exposed AI hardware (NVIDIA DGX, GPU servers)
• Run an anonymous survey asking employees which AI tools they use and why

Most organizations skip this step and write policies nobody follows. Discovery tells you the real problem.

2. Risk-Based Classification

Classify discovered tools by data handling risk:

• Critical risk: Tools processing regulated data (PCI, PHI, PII) → require immediate action
• High risk: Tools with proprietary business data access → require evaluation and controls
• Medium risk: Internal but non-sensitive data → require policy coverage
• Low risk: No sensitive data access → monitoring only

3. Provide Secure Alternatives

Employees use Shadow AI because approved tools are slow, limited, or unavailable. Fix that:

• Deploy enterprise AI tools with proper controls (Microsoft Copilot, Anthropic Claude for Work)
• Streamline approval processes so teams don’t wait weeks for access
• Communicate why personal accounts are risky (don’t just say “it’s policy”)

4. Lock Down the Infrastructure

For AI hardware and self-hosted AI servers:

• Require IT approval for all GPU servers, AI appliances, and inference hardware
• Network segmentation: AI workloads on isolated VLANs, never exposed to the internet
• Default-deny firewall rules with explicit allowlisting for required services
• Inventory management: Track every AI system with asset tags and regular audits

5. Secure Self-Hosted AI Servers (Ollama, LM Studio, etc.)

If your organization deploys local AI inference servers, implement these mandatory controls:

• Never bind to 0.0.0.0 — Ollama’s Docker default is dangerous. Bind to 127.0.0.1 or specific internal IPs only.
• Deploy behind a reverse proxy with authentication (nginx, Traefik, Caddy) — Ollama and LM Studio have no authentication by default.
• Upgrade immediately — Update to Ollama v0.1.34+ to patch CVE-2024-37032 (RCE) and other critical vulnerabilities.
• Disable unnecessary endpoints — Use a proxy to expose only inference endpoints (/api/chat, /api/generate), not management endpoints (/api/pull, /api/push, /api/create).
• Monitor for exposed instances — Scan your external IP ranges for port 11434 (Ollama default) and port 1234 (LM Studio default). If you find them, you have a problem.
• Treat private AI models as intellectual property — Implement access controls. A stolen AI model can represent months of training and millions in investment.

Real-world impact: At least 10,000 Ollama instances are currently exposed to the internet. Don’t be one of them.

For Shadow Vibe Coding:

1. Establish an AI Development Policy

Your AI usage policy should explicitly cover development use cases:

• Which vibe coding tools are approved (Cursor, GitHub Copilot, etc.)
• What data they can access (never production credentials, PII, or secrets)
• Mandatory security review before any vibe-coded app hits production
• Penetration testing requirements for apps handling business-critical data

2. Use Frameworks, Not From-Scratch Code

Never let AI generate:

• Authentication logic
• Cryptography implementations
• Database access controls
• Payment processing

Instead, build on proven frameworks:

• Django, Ruby on Rails, Next.js, Laravel (established security defaults)
• OAuth libraries (not custom auth code)
• Battle-tested encryption libraries (not “AI-generated crypto”)

Let AI handle business logic and UI. Use hardened frameworks for security-critical components.

3. Treat AI Code Like Untrusted Third-Party Code

Every line of AI-generated code needs:

• Security-focused code review before deployment
• Static Application Security Testing (SAST) integrated into CI/CD
• Dependency scanning to catch vulnerable libraries
• Penetration testing for production apps

If you wouldn’t deploy contractor code without review, don’t deploy AI code without review.

4. Keep Custom Apps Behind Firewalls

Vibe-coded internal tools should never be exposed to the public internet:

• Deploy behind a corporate VPN or SASE framework (zero-trust access)
• Require MFA before granting access
• Restrict to known IP ranges or managed devices
• Use firewall allowlists, not “block known bad IPs”

Even a vulnerable app is far less risky when attackers can’t reach it.

5. Penetration Testing Is Non-Negotiable

If a vibe-coded app handles:

• Customer data
• Financial transactions
• PII or regulated data
• Business-critical workflows

Then penetration testing isn’t optional. Budget $1,500-$5,000 for a professional security assessment. That’s cheap compared to a $120K breach response.

Create Accountability

Assign ownership:

• IT/Security: Discovery, classification, monitoring
• Legal/Compliance: Policy enforcement, vendor agreements, audit evidence
• Business Units: Justification for AI tool requests, adherence to approved tools
• Engineering: Security review of vibe-coded applications

Set metrics:

• % of deployed AI tools with documented risk assessments
• % of vibe-coded apps that passed security review before production
• Mean time to detect unauthorized AI deployment
• Compliance evidence completeness (for audits)

The Bottom Line

Shadow AI and Shadow Vibe Coding aren’t going away. They’re accelerating.

By 2030, Gartner predicts 40% of enterprises will experience a security incident directly linked to unauthorized Shadow AI. The question isn’t whether your organization will be affected—it’s whether you’ll detect and govern it before an auditor (or an attacker) does.

The convergence of these two threats creates a perfect storm:

• Invisible AI infrastructure processing your most sensitive data
• Unvetted custom applications riddled with security flaws
• No audit trail, no compliance evidence, no incident response plan
• Employees who genuinely believe they’re being productive and efficient

And they are productive. That’s the trap.

The solution isn’t to ban AI. It’s to govern it with the same rigor you’d apply to any business-critical system:

• Visibility into what’s deployed
• Risk-based classification and controls
• Security review before production
• Continuous monitoring and audit readiness

Because the app that gets built in 20 minutes with Cursor? The one that’s “just for internal use” and “doesn’t handle sensitive data”?

That’s the one that ends up in your breach disclosure report six months from now.

• X (Twitter): @SimonRoses

Further Reading:

Shadow AI & Infrastructure:

• Netwrix: 12 Critical Shadow AI Security Risks
• Wiz Security: Probllama – Ollama RCE Vulnerability (CVE-2024-37032)
• Oligo Security: 6 Vulnerabilities in Ollama (Model Theft, Poisoning, DoS)
• Forbes: NVIDIA Doubles Down on AI Infrastructure (AI Factories)

Vibe Coding Security:

• The New Stack: Vibe Coding Catastrophic Failures
• Cyber Unit: Vibe Coding and the SaaS Shakeup
• Veracode: GenAI Code Security Report 2025
• Simon Willison: LLM Predictions for 2026 (Challenger Disaster Warning)