I'm a CS student who spent the last few weeks researching how AI coding tools systematically produce vulnerable code. The data is pretty alarming: 45% of AI-generated code contains security flaws (Veracode), developers using AI assistants produce SQL injection at 5.1x the rate of unassisted developers (Perry et al., IEEE S&P 2023), and ~20% of AI-recommended packages don't even exist in registries (USENIX Security 2025). Existing tools like ESLint, Semgrep, and Bandit were built for human-written code. They miss the specific patterns AI produces — the "almost right" auth flows, the hallucinated package names, the parameterized query that's parameterized everywhere except the ORDER BY clause. vchk is a CLI tool (npx vchk) that catches these patterns. It runs a 4-stage pipeline: regex fast-pass, Babel AST analysis, npm/PyPI registry verification for hallucinated packages, and contextual severity scoring. 8 detection rules covering SQL injection, hardcoded credentials, XSS, missing auth, weak randomness, permissive CORS, log injection, and hallucinated packages. I validated it against 12 real vibe-coded repos from GitHub. Found real exploitable vulnerabilities — wildcard CORS on Supabase edge functions, dangerouslySetInnerHTML with unsanitized user content, plaintext master passwords in source code. 0% false positive rate on the CLI after tuning. Try it in the browser: https://vchk.dev CLI: npx vchk GitHub: https://github.com/feruzkarimovv/vibecheck Built with TypeScript, Babel parser, Next.js for the playground. The detection rules are based on a 63-pattern research database I compiled from 9 academic papers and 14 industry reports. All open source, MIT licensed. Would love feedback — especially from security researchers on what patterns to add next.