A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.Category: Vulnerabilities & Threats

Compare the Top GitGuardian Alternatives for secrets scanning in 2026. See where Aikido Security, GitHub Secret Protection, TruffleHog, Gitleaks, Semgrep, Snyk, Cycode, Checkmarx, and GitLab fit best.Category: DevSec Tools & Comparisons

Teams at Omnea, Cognism, Glasswall, Raisin and the UK public sector reveal why EDR and MDM miss what's really happening on developer machines.Category: News

Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.Category: Vulnerabilities & Threats

Looking for a Gitleaks alternative? We compare Betterleaks, TruffleHog, Aikido, GitHub Advanced Security, and Spectral so you can find the best secrets scanner for your team.Category: DevSec Tools & Comparisons

Deleting a Google API key doesn't revoke it immediately. Our testing found successful authentications up to 23 minutes after deletion, and Google has declined to fix it.Category: Vulnerabilities & Threats

A poisoned VS Code extension breached GitHub yesterday, one day after Nx Console (2.2M installs) was compromised for 18 minutes on the Visual Studio Marketplace and reached every user with auto-update on.Category: Vulnerabilities & Threats

GitHub confirmed a poisoned VS Code extension compromised an employee device, exposing 3,800 internal repos. Why developer workstations are now the top supply chain target.Category: Vulnerabilities & Threats

Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systemsCategory: Vulnerabilities & Threats

The Mini Shai-Hulud npm worm has hit Alibaba's @antv packages, echarts-for-react, and timeago.js. The payload steals CI/CD secrets, plants backdoors in VS Code and Claude Code, and spreads by republishing compromised packages. Here is what happened and how to protect your team.Category: Vulnerabilities & Threats

Not sure whether you need a pentest or a red team engagement? This guide breaks down the key differences, when to use each, and how AI is changing both.Category: Guides & Best Practices

A year after forking Semgrep, Opengrep is faster, supports deeper taint analysis, and produces consistent, reproducible results.Category: Product & Company Updates

Employees aren't using unapproved AI tools to cause problems. They're scared of falling behind. Here's why banning shadow AI increases your security risk, and what to do instead.Category: News

Mini Shai-Hulud is back, compromising 169 npm packages across TanStack, UiPath, Squawk, and more to steal developer and CI/CD secrets, then spread through trusted publishing workflows.Category: Vulnerabilities & Threats

GitHub Actions misconfigurations have been behind some of the biggest supply chain attacks of 2025 and 2026. Here's what went wrong and how to prevent them from happening to your org.Category: Guides & Best Practices

Most scanners don't cover the full OWASP Top 10. We break down the top OWASP scanners in 2026 so you can choose one that actually keeps you covered.Category: DevSec Tools & Comparisons

Most developer security rollouts fail because they're designed like software deployments, not cultural changes. A practitioner's guide for enterprise CISOs.Category: Guides & Best Practices

AppSec has flatlined under modern complexity. Project Glasswing and the Mythos era demand a security discipline that operates at the velocity of the threats it faces.Category: Guides & Best Practices

Browser extensions have lots of security risks, more than we care to admit. We discuss the full extent of the threat and what both individuals and organizations can do about it.Category: Guides & Best Practices

Malware found in popular PyTorch Lightning version 2.6.2 and 2.6.3, stealing credentials, crypto wallets, and VPN configs as part of the Mini Shai-Hulud campaign.Category: Vulnerabilities & Threats

AI agents writing your code. Aikido integrates directly into AWS Kiro's agentic workflow to keep security in the loop, automatically, from the first line. Aikido is AWS's first global security partner for Kiro.Category: Product & Company Updates

We evaluated the top CVE scanners in 2026 on coverage breadth, intelligence sources, signal-to-noise ratio, and auto-fix capability. Here's how they compare and which is right for your stack.Category: DevSec Tools & Comparisons

A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.Category: Guides & Best Practices

Compromised SAP npm packages use a Bun-based preinstall payload to steal GitHub, npm, cloud, and CI secrets, then spread via GitHub using OhNoWhatsGoingOnWithGitHub.Category: Vulnerabilities & Threats

A fake "tanstack" npm package published four malicious versions in 27 minutes today, exfiltrating .env files via a postinstall hook. Here's what happened, who was affected, and how to rotate your credentials.Category: Vulnerabilities & Threats

The Vercel breach followed a pattern the security industry knows well, where third-party code is implicitly trusted, then compromised upstream. We have a framework for that. We just haven't applied it to browser extensions yet. (Spoiler: We do this for software dependencies)Category: Vulnerabilities & Threats

Malware found in @bitwarden/cli v2026.4.0 steals SSH keys, cloud secrets, and AI coding tool credentials, then spreads through victims' own npm packages. Inside: a worm calling itself "Shai-Hulud: The Third Coming."Category: Vulnerabilities & Threats

A newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers, turning them into relay nodes for LLM traffic.Category: Vulnerabilities & Threats

Supply chain attacks target developer devices. Aikido Device Protection monitors every install across npm, PyPI, VS Code extensions, browser extensions, and AI tools.Category: Product & Company Updates

Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.Category: Vulnerabilities & Threats

NIST will no longer enrich most CVEs. Here's what changes, what breaks, and what comes next.Category: News

Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.Category: Vulnerabilities & Threats

Bug bounty is hitting a breaking point as AI overwhelms programs, pushing a shift toward more sustainable, quality-focused security models.Category: Technical

GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.Category: Vulnerabilities & Threats

Aikido’s AI pentesting agents discovered multiple high-severity vulnerabilities in Hoppscotch, including account takeover, stored XSS, and access control flaws. All issues are now patched.Category: Vulnerabilities & Threats

Anthropic's leaked Mythos model has triggered panic about AI-powered cyberattacks. We ran 1,000 AI penetration tests. The results suggest the threat is more nuanced than the headlines claim.Category: News

Malicious axios versions 1.14.1 and 0.30.4 were published via a hijacked maintainer account. A hidden dependency deploys a cross-platform RAT. Check if you are affected and remediate now.Category: Vulnerabilities & Threats

The popular telnyx packageon PyPI, used by big AI companies, has been compromised by TeamPCPCategory: Vulnerabilities & Threats

Lovable and Aikido bring pentesting into the platform, allowing builders to simulate real-world attacks and fix issues before shipping.Category: Product & Company Updates

CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets IranCategory: Vulnerabilities & Threats

TeamPCP deploys CanisterWorm on NPM following Trivy compromiseCategory: Vulnerabilities & Threats

Modern teams ship faster than pentesting can keep up. Explore the growing speed gap in security testing—and why traditional approaches are falling behind.Category: Guides & Best Practices

Frost & Sullivan recognized Aikido with the 2026 Customer Value Leadership Award in ASPM. We break down what the recognition criteria reveal about how the AppSec market is maturingCategory: News

GlassWorm deploys a multi-stage RAT that force-installs a malicious Chrome extension to log keystrokes, steal cookies, and exfiltrate data via Solana-based C2.Category: Vulnerabilities & Threats

The fast-draft Open VSX extension was compromised to deploy a BlokTrooper RAT and infostealer via GitHub-hosted payloads. Multiple malicious versions identified.Category: Vulnerabilities & Threats

Aikido Security researchers recovered and decrypted the full payload chain from two malicious React Native packages. Here's what the malware does and what to look for.Category: Vulnerabilities & Threats

The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.Category: Vulnerabilities & Threats

AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.Category: Vulnerabilities & Threats

Betterleaks is a new open source secrets scanner from the creator of Gitleaks. A drop-in replacement with faster scans, token efficiency detection, configurable validation, and more.Category: Product & Company Updates

The Trump administration’s 2026 cybersecurity strategy shifts the focus from compliance checklists to real consequences for cybercriminals. Here’s what CISOs need to know.Category: News

AI pentesting is being accepted for SOC 2, ISO 27001, and HIPAA (with more likely to come). Here's what auditors actually look for, and where the real limitations are.Category: Compliance

Continuous pentesting promises real-time security validation, but most implementations fall short. Here’s what continuous pentesting actually requires—from change-aware testing to exploit validation and remediation loops.Category: Guides & Best Practices

Entropy often struggles with generic secrets and short strings. We look at how token efficiency can better identify strings that don’t look like normal text.Category: Guides & Best Practices

CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise. Learn the attack path, impact, and how to remediate.Category: Vulnerabilities & Threats

AI scanning finds what rules miss. Deterministic scanning finds it every time. Here's why the best security pipelines don't choose between them.Category: Engineering

WAF, RASP, and ADR protect your app in completely different ways. Here's what each layer actually does, where it falls short, and which ones you need.Category: Guides

Aikido Infinite runs AI penetration testing on every code change, validates exploitability, generates patches, and retests fixes before code hits production, making self-securing software a reality.Category: Product & Company Updates

Learn how Aikido secures AI pentesting agents with architectural isolation, runtime scope enforcement, and network-level controls to prevent production drift and data leakage.Category: Product & Company Updates

Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. Learn how Host header injection in prerendered error pages allowed full internal network access.Category: Vulnerabilities & Threats

Boards don’t fund security because it’s important. They fund defensible decisions. Here’s how to frame risk, reduce ambiguity, and win real support before a breach forces the issue.Category: Guides

AI models hallucinate npm package names. Attackers register them first. Here's what slopsquatting is, how it's spreading through agent skills, and how to protect yourself.Category: Guides & Best Practices

SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if you’re vulnerable and how to mitigate risk.Category: Vulnerabilities & Threats

Looking for Wiz Code alternatives? Compare 6 tools across SAST, DAST, SCA, pricing, and developer experience to find the best AppSec platform for 2026.Category: Guides & Best Practices

Aikido Security recognized as Platform Leader, AI Pentesting Innovator, and Supply Chain Innovator in Latio Tech’s 2026 AppSec Report.Category: News

IDOR vulnerabilities are one of the most common causes of cross-tenant data leaks in multi-tenant SaaS. Learn how Zen enforces tenant isolation at runtime by analyzing SQL queries and preventing unsafe access before it ships.Category: Product & Company Updates

A targeted npm supply chain attack installs an Express backdoor, enables remote SQL/file access, and rewrites gambling balances while keeping logs consistent.Category: Vulnerabilities & Threats

Aikido automatically detects breaking changes in dependency upgrades and analyzes your codebase to show real impact, so teams can merge security fixes safely.Category: Product & Company Updates

OpenClaw's security issues explained: malware in ClawHub, exposed instances, and why hardening guides miss the point. Can you use the AI agent safely??Category: News

Anthropic claims Claude Opus 4.6 uncovered 500+ high-severity vulnerabilities in open source. Here’s what that means for vulnerability discovery, exploitability validation, and production security workflows.Category: News

Aikido Expansion Packs add focused security controls directly inside your IDE. Enable secrets protection, supply chain malware checks, and AI-assisted code security without changing developer workflows.Category: Product & Company Updates

Aikido Security's analysis of the International AI Safety Report 2026. We examine deployment-time controls, validation requirements, and practical safety baselines for autonomous AI systems.Category: News

Self-securing software is a security model where systems continuously validate and remediate real risk as they change. Learn why periodic testing no longer scales.Category: Product & Company Updates

Continuous pentesting automatically tests real attack paths every time software changes, validating and fixing issues as part of the development lifecycle. Learn how it compares to AI and manual pentesting.Category: Guides & Best Practices

We claimed 128 unclaimed npm package names that official docs told developers to npx. Seven months later: 121,000 downloads. All would have run arbitrary code.Category: Vulnerabilities & Threats

See how stable and well-maintained an open source package really is. Aikido Package Health helps devs choose safer dependencies with confidence.Category: Product & Company Updates

AI pentesting systems act autonomously against live environments. Learn when AI pentesting is safe to use, the minimum technical safeguards required, and how to evaluate AI security testing tools responsibly.Category: Guides & Best Practices

Learn what a Secure SDLC is, why it matters, and the five pillars every team needs. Includes a practical Secure SDLC checklist for CTOs and engineering leaders.Category: Guides & Best Practices

A malicious VS Code extension impersonating Clawdbot is installing ScreenConnect RAT on developer machines. Category: Vulnerabilities & Threats

npm package ansi-universal-ui delivers GWagon infostealer targeting 100+ crypto wallets, browser credentials, and cloud keys. We analyzed all 10 versions as the attacker iterated in real-time.Category: Vulnerabilities & Threats

A targeted spear-phishing campaign used npm packages and jsDelivr as free phishing infrastructure, serving custom credential harvesters per victimCategory: Vulnerabilities & Threats

Attackers published fake spellchecker packages to PyPI with malware hidden in plain sight. We break down the attack and what developers need to watch for.Category: Vulnerabilities & Threats

Explore the top AI security tools for 2026. Compare platforms for AI code review, vulnerability detection, pentesting, and risk management to secure modern applications.Category: DevSec Tools & Comparisons

AI agent skills are propagating hallucinated npx commands, creating real security and reliability risks for developers and supply chains.Category: Vulnerabilities & Threats

Open-source license risk hides in dependencies and container images. Learn what it is, why it matters, and how to catch issues early.Category: Guides & Best Practices

A practical security checklist for CISOs managing AI and vibe-coded applications. Covers technical guardrails, AI controls, and organizational policies. Category: Guides & Best Practices

Compare the best Graphite alternatives for AI-driven code review. Check free options like Aikido Security and enterprise tools like SonarQube to improve code quality.Category: DevSec Tools & Comparisons

Aikido announces $60M Series B funding at a $1B valuation, accelerating its vision for self-securing software and continuous penetration testing.Category: Product & Company Updates

A critical vulnerability in n8n (CVE-2026-21858) allows unauthenticated remote code execution on self-hosted instances. Learn who is affected and how to remediate.Category: Vulnerabilities & Threats

A practical guide to the best VS Code extensions for 2026, covering productivity, testing, collaboration, and security tools that improve real-world developer workflows.Category: DevSec Tools & Comparisons

AI-driven pentesting of Coolify identified seven CVEs, including privilege escalation and remote code execution vulnerabilities. Findings were responsibly disclosed and fixed.Category: Aikido

Discover the leading continuous pentesting tools that provide real-time, AI-powered security testing for modern applications.Category: DevSec Tools & Comparisons

earn how SAST and SCA differ, what risks each addresses, and why modern AppSec teams need both to secure code and dependencies.Category: Technical

A deep technical analysis of the NeoShadow npm supply-chain attack, detailing how JavaScript, MSBuild, and blockchain techniques were combined to compromise developers.Category: Vulnerabilities & Threats

Understand DORA’s technical requirements for engineering and security teams, including resilience testing, risk management, and audit-ready evidence.Category: Compliance

Learn what an IDOR vulnerability is, why insecure direct object references persist in modern APIs, and why traditional testing tools struggle to detect real authorization failures.Category: Vulnerabilities & Threats

A new strain of Shai Hulud has been observed in the wild. Category: Vulnerabilities & Threats

MongoBleed, tracked as CVE-2025-14847, allows unauthenticated memory disclosure in MongoDB via zlib compression. See impact and remediation.Category: Vulnerabilities & Threats

We uncovered the first sophisticated malware campaign on Maven Central: a typosquatted Jackson package delivering multi-stage payloads and Cobalt Strike beacons via Spring Boot auto-execution.Category: Vulnerabilities & Threats

A deep dive into a GitHub security flaw where forked commits let attackers spoof dependencies. Understand the commit SHA issue and why package managers need API-level protection.Category: Vulnerabilities & Threats

A practical breakdown of the top 10 cybersecurity tools for 2026, covering endpoint, cloud, identity, vulnerability management, and XDR. Learn how to choose the right tool for your stack and risk profile.Category: DevSec Tools & Comparisons