We are rolling out NodeJS/NPM vulnerability protection and supply chain security across all Patchstack web hosting & integration partners. If you’re not an existing partner, contact us here for more information.
Vibe coding makes custom app building effortless for non technical users
Website creation is at an all time high and growing, before counting invisible apps developed for internal use within companies. NodeJS is now the dominant technology among vibe-coding tools, used by the same non-technical customer who used to build on WordPress and expects that same experience, including security.
Users are less technical than ever
This shift is part of a broader, well-documented trend: New domain registrations grew by 6.5% in Q1 2026, at triple the average normal growth rate favoring domains easily registered through vibe coding platforms. Gartner projects non-IT users to comprise 80% of low code tool users in 2026, and Forrester estimates that the global population of “citizen developers” – people building apps without a formal engineering background has reached roughly 16.2 million in 2026, up 38% year-over-year.
For you as a web host, that means the person deploying an app on your infrastructure is often using components they didn’t choose, can’t read the documentation for, and don’t understand well enough to track after deployment. They’re business owners building functionality, not developers.
At the same time, vulnerability detection and disclosure are at an all time high – the sheer volume of AI-generated apps means that risk is accumulating across your customer base whether anyone’s watching it or not.
“AI has made it much easier to build applications, but security doesn’t end at deployment. Open-source dependencies keep changing, so developers need ongoing visibility into new vulnerabilities – not just a one-time scan.”
- Oliver Sild, CEO @ Patchstack
When growth turns to churn risk
This is not a new problem – the large-scale adoption of WordPress taught us that it’s a major challenge to even get your customers to update their PHP, WordPress core and plugins. The non technical customer simply doesn’t understand why security matters before it’s too late.
Expecting the same kind of user to look up what dependencies got installed to their vibe coded application, look at the package maintainer reputation and supply chain risk, monitor each dependency for vulnerabilities and then upgrading the application regularly to patch vulnerabilities (while at the same time making sure the upgrade is not exposing them to ongoing supply chain attack) is simply beyond what can be expected of the average user.
The average user will get less technical over time, and when they get hacked, they will blame you. By the time their website has been compromised – trust will be broken, churn risk elevated, support overloaded with inquiries that could’ve been prevented.
Patchstack fixes this, improving retention rates, ARPU and NPS/CSAT.
Patchstack is the market leader solving this problem in the WordPress ecosystem: surfacing vulnerabilities to customers for free, with a protection add-on that carries strong ROI and attach rates. Customers value being alerted before they’re compromised – the alerts alone build trust and improve retention. Hosts earn recurring revenue from the add-on or by bundling protection into higher hosting tiers.
Now we’re bringing the same model to vibe-coded NodeJS applications.
What we just launched with Hostinger
Hostinger is the first host to close that gap with us. Patchstack’s open-source vulnerability intelligence is now built directly into Hostinger’s Node.js hosting.
What that means for Hostinger’s customers:
- Applications are continuously scanned for newly disclosed vulnerabilities in their dependencies.
- When something’s flagged, customers are automatically alerted and guided through remediation – before it turns into an incident.
- Monitoring runs in the background, with no setup required from the customer.

Hostinger’s Node.js hosting was built with vibecoded apps in mind allowing customers to export straight from tools like Lovable and GitHub with automated connection, framework detection and deployment with support across Node.js-versions 18.x-24.x. With Patchstack sitting underneath this flow, security becomes and integral part of the hosting offering rather than a separate concern for the customer.
“When customers are building with AI tools, they’re focused on getting the product live, not on what happens to their dependencies six months later. That’s exactly the risk this integration is built to catch, on Hostinger’s behalf.”
- Web Hosting Product Manager @ Hostinger
What this could look like on your platform
We expect every web host to follow. If your customers are shipping apps built on code they don’t understand, this is worth prioritizing. For existing Patchstack partners, this does not mean we’re selling you a new product, the expansion to cover NodeJS and vibe coded apps is part of our existing product offering.
There’s a lot more exciting innovation we’ll be rolling out in the upcoming months to create even deeper visibility into a wider range of security vulnerabilities, automatically mitigate them without user interaction, and eliminate the supply chain risk entirely.
All of this served through the same experience your customers are already used to.
If you’re working on your NodeJS already or planning to expand support for vibe coded apps – we should talk. [Get in touch with our partnerships team →]


