Why Western security experts should take a closer look at China’s AI coders

While Alibaba is positioning its new AI coder solution, Qwen3-Coder, as a competitor to GPT-4 and Claude with a major PR campaign, a critical security debate threatens to be overshadowed. The enthusiasm for new coding automation is obscuring the real risk: Qwen3-Coder could turn out to be a Trojan horse for Western IT infrastructures.

The threat does not lie in the technological capabilities of Chinese AI models, but in the unreflective integration of these systems into Western development environments, often without security testing or regulatory oversight.

AI coding: productivity meets uncertainty

The advantages of generative AI in software development are undisputed: it writes code faster, analyses existing systems more efficiently and helps with debugging and architectural decisions. But this is precisely where the risk lies: What if the AI systematically builds in vulnerabilities – inconspicuous, context-sensitive and difficult to detect?

According to Cybernews, nearly 1,000 potential security risks have been identified in 327 publicly traded US companies (S&P 500) that already use AI coding tools – and that’s without taking tools such as Qwen3-Coder into account. The integration of an AI system from a country with a sensitive security policy could multiply this number.

The underestimated supply chain attack by AI

Modern software development is no longer a closed process, but a distributed, collaborative supply chain. Developers rely on external libraries, cloud services – and increasingly on AI-based assistants. A model such as Qwen3-Coder, which gains access to source code and actively helps to shape it, can become an invisible attack vector in this chain.

An intelligent model could create ‘dormant’ vulnerabilities that are embedded in the context, thereby circumventing traditional code reviews and static analyses.

The parallel to targeted supply chain attacks such as SolarWinds is more than just speculation.

The geopolitical dimension is often underestimated. Alibaba is subject to China’s National Intelligence Law, which requires companies to cooperate with state intelligence agencies. Even if Qwen3-Coder is available under an open-source licence, crucial questions remain unanswered:

• What data does the infrastructure collect in the background?
• What telemetry is stored?
• How transparent is the use of the generated content?

The possibility that valuable company data or IP could fall into the wrong hands through debugging requests to the model is real – especially when highly sensitive systems or proprietary algorithms are involved.

Agentic AI: From assistant to autonomous actor

Alibaba’s focus on agentic AI capabilities is particularly alarming. These are systems that perform programming tasks independently, without constant human control. On the one hand, this autonomous decision-making ability is a step forward – on the other hand, it is a massive lever for attack.

Such a system could:

• Identify security structures in the code
• Generate tailor-made exploits
• Automatically ‘mask’ and infiltrate vulnerabilities

In the wrong context, the AI development assistant thus becomes a tool for targeted attacks on critical infrastructure.

Regulatory no-man’s-land – a gateway

Regulatory authorities in Western countries are ill-prepared for this threat. While they are busy dealing with TikTok and Huawei, there is no systematic review mechanism for AI models from third countries that are actively integrated into corporate networks.

Important questions remain unanswered:

• Who reviews the security standards of foreign AI coders?
• What requirements apply to their use in security-critical areas?
• How can misuse be prevented if the model is open source but the infrastructure is not?

A CFIUS-like process for AI systems is long overdue.

Recommended actions for CISOs and security teams

1. Define usage controls: Companies that work with sensitive data should implement clear guidelines on the use of external AI tools. The basic principle is: If you would not give an external developer access to your code, you should not allow a foreign AI model to do so either.
2. Develop security tools for AI-generated code: Traditional security solutions are not enough. Dynamic analysis tools specialising in AI-generated patterns and backdoors are needed.
3. Strengthen strategic risk awareness: Every AI model should be considered potentially dual-use, with both peaceful and malicious potential. Classifying code-generating AI systems as critical infrastructure is a necessary step.

Conclusion: Technology with a double bottom

Alibaba has released an impressive tool in Qwen3-Coder – powerful, efficient and versatile. However, its geopolitical origins, potential for autonomous code generation and lack of regulatory safeguards make it a strategic risk for Western IT security.

Anyone who uses this tool without careful consideration may be opening the door – not only to efficiency gains, but also to systematic exploitation. In times of hybrid threats and digital dependencies, vigilance is called for – not euphoria.

About the original text

This article is based on an analysis by Jurgita Lapienytė, editor-in-chief of Cybernews, a globally renowned platform for investigative cybersecurity research.