Vibeware: More than bad vibes for AppSec

The report describes how Pakistan-based APT36 has pivoted to ‘vibeware’—AI-generated, mass-produced malware compiled in niche languages (e.g., Nim, Zig, Crystal, Rust) and leveraging trusted cloud services (Slack, Discord, Supabase, Google Sheets) as C2—to overwhelm detection and triage capacity; it provides examples of multi-implant deployments per endpoint, explains the evasion and denial-of-detection strategy, and recommends defenses such as behavioral detection, outbound controls, application allow-listing, zero-trust, and supply-chain verification.