Aikido Security's Blog
https://www.aikido.dev
Detect, pentest, and block security threats across your entire stack - from one unified platform.
フィード

Compromised @injectivelabs/sdk-ts exfiltrates wallet keys through fake telemetry
Aikido Security's Blog
A malicious release of @injectivelabs/sdk-ts hid a wallet-key stealer inside code labeled as usage telemetry, then spread it across 17 more npm packages. Here's how it worked and how to check your projects.Category: Vulnerabilities & Threats
3日前

AI Pentesting Buyer's Guide: How to evaluate AI pentesting vendors
Aikido Security's Blog
Learn how to evaluate AI pentesting vendors with practical buying criteria, research from 1,000+ AI pentests, and a downloadable evaluation checklist.Category: Guides & Best Practices
3日前

Top Burp Suite alternatives for web application security testing
Aikido Security's Blog
Compare the top Burp Suite alternatives for DAST and AI pentesting, including Aikido, Caido, ZAP, and Invicti.Category: DevSec Tools & Comparisons
5日前

Top Chainguard alternatives 2026
Aikido Security's Blog
Comparing the best Chainguard alternatives in 2026, from Aikido Security to Docker Hardened Images, Minimus, RapidFort, and Echo.Category: DevSec Tools & Comparisons
5日前

Predicting MongoDB ObjectId() continuously in Rocket.Chat
Aikido Security's Blog
Aikido's AI pentester found this file-access flaw in Rocket.Chat. A closer look at MongoDB's ObjectId() showed the weak randomness that makes it exploitable.Category: Vulnerabilities & Threats
6日前

Authentication Bypass in the default configuration phpBB
Aikido Security's Blog
Our AI pentest agents found a critical phpBB auth bypass (CVE-2026-48611): one unauthenticated request logs you into any account. See the exploit and the fix.Category: Vulnerabilities & Threats
9日前

And another one. GitHub ships break-glass credential revocation
Aikido Security's Blog
Break-glass credential revocation is live on GitHub Enterprise. The Trivy and Microsoft durabletask repeats show why fast, complete revocation was needed..Category: News
11日前

Aikido acquires Root to secure the supply chain
Aikido Security's Blog
Aikido has acquired Root to secure the software supply chain, fixing open source vulnerabilities in the version you already run, no upgrade required. Critical fixes go back to the community, free.Category: Product & Company Updates
12日前

npm now freezes high-impact accounts after risky account changes
Aikido Security's Blog
A look at npm's new 72-hour account freeze, what triggers it, what it blocks, and how it works alongside trusted and staged publishing. Category: News
16日前

Top Koi alternatives in 2026
Aikido Security's Blog
Looking for a Koi Security alternative after the Palo Alto acquisition? Compare competitors on device protection, platform breadth, and pricing.Category: DevSec Tools & Comparisons
16日前

Packagist is now protected by Aikido Intel and other updates to the PHP registry
Aikido Security's Blog
Aikido's malware feed now blocks bad package versions in Composer by default. A look at how Packagist is closing whole classes of supply chain attacks.Category: Product & Company Updates
16日前

Everybody's shipping code they can't read
Aikido Security's Blog
With AI, everyone's a developer now, and a lot of code gets shipped without a careful review from trained eyes. Category: News
17日前

Compromised GitHub action codfish/semantic-release-action steals CI/CD secrets
Aikido Security's Blog
codfish/semantic-release-action was compromised on June 24, 2026. Attackers repointed v2–v5 tags to a Miasma credential-stealing payload targeting CI/CD secrets. Here's what happened and how to check if you're affected.Category: Vulnerabilities & Threats
18日前

Aikido x Drydock | A way for maintainers to catch malware before it ships
Aikido Security's Blog
Aikido partners with Drydock to bring pre-publish package review to npm and PyPI. See exactly what's inside a release before it ships, malware caught before download number one.Category: Product & Company Updates
19日前

Aikido x OWASP: 200 free credits for individual members
Aikido Security's Blog
OWASP individual members get 200 free Aikido credits to run Code Audit. Here is who qualifies and how to claim yours in two steps.Category: Aikido
24日前

Over 140 popular Mastra npm Packages Hit by Supply Chain Attack
Aikido Security's Blog
141 Mastra npm packages were compromised in a supply chain attack that injected a malicious dependency to silently download and execute a payload at install time.Category: Vulnerabilities & Threats
25日前

Multiple JetBrains IDE plugins caught stealing AI keys
Aikido Security's Blog
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.Category: Vulnerabilities & Threats
1ヶ月前

Introducing Code Audit: Find complex vulnerabilities hidden in your source code
Aikido Security's Blog
SAST catches patterns. Code Audit reasons through your code like an attacker would, finding the logic flaws that only show up after you ship.Category: Product & Company Updates
1ヶ月前

Full Fathom Five: The context of Anthropic’s Mythos-class public release
Aikido Security's Blog
You never needed Mythos to find your IDORs and business logic flaws. A look at what Anthropic shipped with Fable 5, and why infosec stays a people problem at heart.Category: News
1ヶ月前

5 Socket security alternatives and why they are better
Aikido Security's Blog
Socket built its name on malware detection. But detection speed alone is no longer the whole story. Here's how Aikido and four other alternatives compare on supply chain security, reachability analysis, licensing, and more.Category: DevSec Tools & Comparisons
1ヶ月前

npm v12 delivers one of the biggest security improvements in years
Aikido Security's Blog
npm v12 makes install scripts opt-in by default, closing the install-time execution path behind a year of npm supply chain worms from Nx to Red Hat.Category: News
1ヶ月前

Aikido x Docker: less noise, more signal in your containers
Aikido Security's Blog
Aikido now supports Docker Hardened Images with built-in VEX integration, helping teams reduce CVE noise and focus on container vulnerabilities that actually need attention.Category: Product & Company Updates
1ヶ月前

Code is being written everywhere, and the device is the only constant
Aikido Security's Blog
Developers are coding everywhere. AI agents, Slack bots, and MCP servers have made the developer device the biggest security blindspot.Category: News
1ヶ月前

SBOMs in 2026: Everyone's generating them, no one's using them
Aikido Security's Blog
ENISA's 2026 SBOM adoption report covers 334 organizations and surfaces a consistent gap between generating SBOMs and actually using them. Here is what stood out.Category: News
1ヶ月前

Compromised Rust crate onering performs code exfiltration
Aikido Security's Blog
The compromised onering Rust crate v1.4.1 on crates.io shipped a malicious build.rs that exfiltrates the diff of your latest commit to a hosted Sentry endpoint every time you build.Category: Vulnerabilities & Threats
1ヶ月前

10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security's Blog
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.Category: Vulnerabilities & Threats
1ヶ月前

Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System
Aikido Security's Blog
Deep dive into binding.gyp, the often overlooked npm build file that can execute malicious code at install time through shell expansions, sandbox escapes, and compiler hijacking.Category: Vulnerabilities & Threats
1ヶ月前

What is AI SAST?
Aikido Security's Blog
AI SAST is emerging as a new SAST category, but the meaning is unclear. We clarify the difference between AI-native SAST and AI-assisted SAST, as well as how AI SAST sits in the stack between traditional SAST and AI pentesting.Category: DevSec Tools & Comparisons
1ヶ月前

Top 5 Tenable Nessus alternatives in 2026
Aikido Security's Blog
Tenable Nessus is a powerful scanner, but powerful tools that nobody uses don't make software more secure. Compare five alternatives built for how engineering teams actually work.Category: DevSec Tools & Comparisons
1ヶ月前

Why EDR and proxy won’t save you from supply chain malware
Aikido Security's Blog
EDR and proxies weren't built for supply chain malware. When malicious code arrives through npm install, it looks like normal behavior. Here's why that matters.Category: News
1ヶ月前

Move over, Mythos. Here comes... pretty much any other model with a good harness
Aikido Security's Blog
Mythos has real edges in exploit chain construction. But for most AppSec work, the harness around the model matters more than which model you pick.Category: News
1ヶ月前

Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
Aikido Security's Blog
Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.Category: Vulnerabilities & Threats
1ヶ月前

What MDM can't protect on developer machines (and what to do about it)
Aikido Security's Blog
MDM tools like Jamf and Kandji are essential but they don't see npm installs, IDE extensions, or AI coding tools. Here's what's actually unprotected on your developer machines and how to close the gap.Category: Guides & Best Practices
1ヶ月前

Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens
Aikido Security's Blog
A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.Category: Vulnerabilities & Threats
1ヶ月前

Top GitGuardian alternatives for secrets scanning in 2026
Aikido Security's Blog
Compare the Top GitGuardian Alternatives for secrets scanning in 2026. See where Aikido Security, GitHub Secret Protection, TruffleHog, Gitleaks, Semgrep, Snyk, Cycode, Checkmarx, and GitLab fit best.Category: DevSec Tools & Comparisons
1ヶ月前

Aikido vs XBOW: 58% more vulnerabilities found in independent benchmark
Aikido Security's Blog
Aikido vs XBOW compared in an independent benchmark by Doyensec. Aikido found 58% more vulnerabilities at the same price. See setup time, false positive rates & full resultsCategory: News
2ヶ月前

Why developer machines are now the number one target for supply chain attacks
Aikido Security's Blog
Teams at Omnea, Cognism, Glasswall, Raisin and the UK public sector reveal why EDR and MDM miss what's really happening on developer machines.Category: News
2ヶ月前

Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer
Aikido Security's Blog
Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.Category: Vulnerabilities & Threats
2ヶ月前

5 Gitleaks alternatives and why they are better
Aikido Security's Blog
Looking for a Gitleaks alternative? We compare Betterleaks, TruffleHog, Aikido, GitHub Advanced Security, and Spectral so you can find the best secrets scanner for your team.Category: DevSec Tools & Comparisons
2ヶ月前

Google API keys keep working after you delete them
Aikido Security's Blog
Deleting a Google API key doesn't revoke it immediately. Our testing found successful authentications up to 23 minutes after deletion, and Google has declined to fix it.Category: Vulnerabilities & Threats
2ヶ月前

The Wild West of VS Code extensions and how a poisoned extension breached GitHub
Aikido Security's Blog
A poisoned VS Code extension breached GitHub yesterday, one day after Nx Console (2.2M installs) was compromised for 18 minutes on the Visual Studio Marketplace and reached every user with auto-update on.Category: Vulnerabilities & Threats
2ヶ月前

GitHub breached via a malicious VS Code extension: why developer devices are the real target
Aikido Security's Blog
GitHub confirmed a poisoned VS Code extension compromised an employee device, exposing 3,800 internal repos. Why developer workstations are now the top supply chain target.Category: Vulnerabilities & Threats
2ヶ月前

Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
Aikido Security's Blog
Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systemsCategory: Vulnerabilities & Threats
2ヶ月前

Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages
Aikido Security's Blog
The Mini Shai-Hulud npm worm has hit Alibaba's @antv packages, echarts-for-react, and timeago.js. The payload steals CI/CD secrets, plants backdoors in VS Code and Claude Code, and spreads by republishing compromised packages. Here is what happened and how to protect your team.Category: Vulnerabilities & Threats
2ヶ月前

Penetration testing vs. red teaming: what’s the difference?
Aikido Security's Blog
Not sure whether you need a pentest or a red team engagement? This guide breaks down the key differences, when to use each, and how AI is changing both.Category: Guides & Best Practices
2ヶ月前

One year of Opengrep: What we built and what’s next
Aikido Security's Blog
A year after forking Semgrep, Opengrep is faster, supports deeper taint analysis, and produces consistent, reproducible results.Category: Product & Company Updates
2ヶ月前

Shadow AI is a fear response, and banning it makes it worse
Aikido Security's Blog
Employees aren't using unapproved AI tools to cause problems. They're scared of falling behind. Here's why banning shadow AI increases your security risk, and what to do instead.Category: News
2ヶ月前

Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack
Aikido Security's Blog
Mini Shai-Hulud is back, compromising 169 npm packages across TanStack, UiPath, Squawk, and more to steal developer and CI/CD secrets, then spread through trusted publishing workflows.Category: Vulnerabilities & Threats
2ヶ月前

The complete GitHub Actions security checklist
Aikido Security's Blog
GitHub Actions misconfigurations have been behind some of the biggest supply chain attacks of 2025 and 2026. Here's what went wrong and how to prevent them from happening to your org.Category: Guides & Best Practices
2ヶ月前

Top OWASP scanners in 2026 for web application security
Aikido Security's Blog
Most scanners don't cover the full OWASP Top 10. We break down the top OWASP scanners in 2026 so you can choose one that actually keeps you covered.Category: DevSec Tools & Comparisons
2ヶ月前

Rolling out developer security in a 5,000+ engineer organization
Aikido Security's Blog
Most developer security rollouts fail because they're designed like software deployments, not cultural changes. A practitioner's guide for enterprise CISOs.Category: Guides & Best Practices
2ヶ月前

Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks
Aikido Security's Blog
AppSec has flatlined under modern complexity. Project Glasswing and the Mythos era demand a security discipline that operates at the velocity of the threats it faces.Category: Guides & Best Practices
2ヶ月前

Why browser extensions are a major security risk and what you can do about it
Aikido Security's Blog
Browser extensions have lots of security risks, more than we care to admit. We discuss the full extent of the threat and what both individuals and organizations can do about it.Category: Guides & Best Practices
2ヶ月前

Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud
Aikido Security's Blog
Malware found in popular PyTorch Lightning version 2.6.2 and 2.6.3, stealing credentials, crypto wallets, and VPN configs as part of the Mini Shai-Hulud campaign.Category: Vulnerabilities & Threats
2ヶ月前

Aikido integrates with AWS Kiro: Catching in review doesn't scale anymore
Aikido Security's Blog
AI agents writing your code. Aikido integrates directly into AWS Kiro's agentic workflow to keep security in the loop, automatically, from the first line. Aikido is AWS's first global security partner for Kiro.Category: Product & Company Updates
2ヶ月前

Top CVE scanners in 2026 to identify known vulnerabilities
Aikido Security's Blog
We evaluated the top CVE scanners in 2026 on coverage breadth, intelligence sources, signal-to-noise ratio, and auto-fix capability. Here's how they compare and which is right for your stack.Category: DevSec Tools & Comparisons
2ヶ月前

A practical CTO security checklist to be Mythos-ready
Aikido Security's Blog
A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.Category: Guides & Best Practices
2ヶ月前

Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer
Aikido Security's Blog
Compromised SAP npm packages use a Bun-based preinstall payload to steal GitHub, npm, cloud, and CI secrets, then spread via GitHub using OhNoWhatsGoingOnWithGitHub.Category: Vulnerabilities & Threats
2ヶ月前

Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files
Aikido Security's Blog
A fake "tanstack" npm package published four malicious versions in 27 minutes today, exfiltrating .env files via a postinstall hook. Here's what happened, who was affected, and how to rotate your credentials.Category: Vulnerabilities & Threats
2ヶ月前

It's time to treat browser extensions like supply chain attack vectors
Aikido Security's Blog
The Vercel breach followed a pattern the security industry knows well, where third-party code is implicitly trusted, then compromised upstream. We have a framework for that. We just haven't applied it to browser extensions yet. (Spoiler: We do this for software dependencies)Category: Vulnerabilities & Threats
3ヶ月前

Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm
Aikido Security's Blog
Malware found in @bitwarden/cli v2026.4.0 steals SSH keys, cloud secrets, and AI coding tool credentials, then spreads through victims' own npm packages. Inside: a worm calling itself "Shai-Hulud: The Third Coming."Category: Vulnerabilities & Threats
3ヶ月前

Top Black Hat USA 2026 Parties, Side-Events & Security Meetups
Aikido Security's Blog
A curated guide to Black Hat USA 2026 parties, happy hours, CISO dinners and security meetups in Las Vegas, including Aikido’s Omega Mart After Hours with AWS and Tailscale.Category: News
3ヶ月前

GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays
Aikido Security's Blog
A newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers, turning them into relay nodes for LLM traffic.Category: Vulnerabilities & Threats
3ヶ月前

Introducing Device Protection: Security for Developer Devices
Aikido Security's Blog
Supply chain attacks target developer devices. Aikido Device Protection monitors every install across npm, PyPI, VS Code extensions, browser extensions, and AI tools.Category: Product & Company Updates
3ヶ月前

Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow
Aikido Security's Blog
Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.Category: Vulnerabilities & Threats
3ヶ月前

Reliable CVE sources in the age of NIST NVD cutbacks
Aikido Security's Blog
NIST will no longer enrich most CVEs. Here's what changes, what breaks, and what comes next.Category: News
3ヶ月前

Axios CVE-2026-40175: a critical bug that’s… not exploitable
Aikido Security's Blog
Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.Category: Vulnerabilities & Threats
3ヶ月前

Bug bounty isn’t dead, but the old model is breaking
Aikido Security's Blog
Bug bounty is hitting a breaking point as AI overwhelms programs, pushing a shift toward more sustainable, quality-focused security models.Category: Technical
3ヶ月前

GlassWorm goes native: New Zig dropper infects every IDE on your machine
Aikido Security's Blog
GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.Category: Vulnerabilities & Threats
3ヶ月前

Aikido Attack finds multiple 0-days in Hoppscotch
Aikido Security's Blog
Aikido’s AI pentesting agents discovered multiple high-severity vulnerabilities in Hoppscotch, including account takeover, stored XSS, and access control flaws. All issues are now patched.Category: Vulnerabilities & Threats
3ヶ月前

The cybersecurity doomerism around Mythos doesn't match what we see on the ground
Aikido Security's Blog
Anthropic's leaked Mythos model has triggered panic about AI-powered cyberattacks. We ran 1,000 AI penetration tests. The results suggest the threat is more nuanced than the headlines claim.Category: News
3ヶ月前

axios compromised on npm: maintainer account hijacked, RAT deployed
Aikido Security's Blog
Malicious axios versions 1.14.1 and 0.30.4 were published via a hijacked maintainer account. A hidden dependency deploys a cross-platform RAT. Check if you are affected and remediate now.Category: Vulnerabilities & Threats
3ヶ月前

Popular telnyx package compromised on PyPI by TeamPCP
Aikido Security's Blog
The popular telnyx packageon PyPI, used by big AI companies, has been compromised by TeamPCPCategory: Vulnerabilities & Threats
4ヶ月前

Aikido × Lovable: Vibe, Fix, Ship
Aikido Security's Blog
Lovable and Aikido bring pentesting into the platform, allowing builders to simulate real-world attacks and fix issues before shipping.Category: Product & Company Updates
4ヶ月前

CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
Aikido Security's Blog
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets IranCategory: Vulnerabilities & Threats
4ヶ月前
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
Aikido Security's Blog
TeamPCP deploys CanisterWorm on NPM following Trivy compromiseCategory: Vulnerabilities & Threats
4ヶ月前

Security testing is validating software that no longer exists
Aikido Security's Blog
Modern teams ship faster than pentesting can keep up. Explore the growing speed gap in security testing—and why traditional approaches are falling behind.Category: Guides & Best Practices
4ヶ月前

Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM
Aikido Security's Blog
Frost & Sullivan recognized Aikido with the 2026 Customer Value Leadership Award in ASPM. We break down what the recognition criteria reveal about how the AppSec market is maturingCategory: News
4ヶ月前

GlassWorm Hides a RAT Inside a Malicious Chrome Extension
Aikido Security's Blog
GlassWorm deploys a multi-stage RAT that force-installs a malicious Chrome extension to log keystrokes, steal cookies, and exfiltrate data via Solana-based C2.Category: Vulnerabilities & Threats
4ヶ月前

fast-draft Open VSX Extension Compromised by BlokTrooper
Aikido Security's Blog
The fast-draft Open VSX extension was compromised to deploy a BlokTrooper RAT and infostealer via GitHub-hosted payloads. Multiple malicious versions identified.Category: Vulnerabilities & Threats
4ヶ月前

Glassworm Strikes Popular React Native Phone Number Packages
Aikido Security's Blog
Aikido Security researchers recovered and decrypted the full payload chain from two malicious React Native packages. Here's what the malware does and what to look for.Category: Vulnerabilities & Threats
4ヶ月前

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
Aikido Security's Blog
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.Category: Vulnerabilities & Threats
4ヶ月前

How Security Teams Fight Back Against AI-Powered Hackers
Aikido Security's Blog
AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.Category: Vulnerabilities & Threats
4ヶ月前

Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks
Aikido Security's Blog
Betterleaks is a new open source secrets scanner from the creator of Gitleaks. A drop-in replacement with faster scans, token efficiency detection, configurable validation, and more.Category: Product & Company Updates
4ヶ月前

Trump’s 2026 cybersecurity strategy: From compliance to consequence
Aikido Security's Blog
The Trump administration’s 2026 cybersecurity strategy shifts the focus from compliance checklists to real consequences for cybercriminals. Here’s what CISOs need to know.Category: News
4ヶ月前

How does AI pentesting work with compliance?
Aikido Security's Blog
AI pentesting is being accepted for SOC 2, ISO 27001, and HIPAA (with more likely to come). Here's what auditors actually look for, and where the real limitations are.Category: Compliance
4ヶ月前

What continuous pentesting actually requires
Aikido Security's Blog
Continuous pentesting promises real-time security validation, but most implementations fall short. Here’s what continuous pentesting actually requires—from change-aware testing to exploit validation and remediation loops.Category: Guides & Best Practices
4ヶ月前

Rare Not Random: Using Token Efficiency for Secrets Scanning
Aikido Security's Blog
Entropy often struggles with generic secrets and short strings. We look at how token efficiency can better identify strings that don’t look like normal text.Category: Guides & Best Practices
4ヶ月前

Persistent XSS/RCE using WebSockets in Storybook’s dev server
Aikido Security's Blog
CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise. Learn the attack path, impact, and how to remediate.Category: Vulnerabilities & Threats
4ヶ月前

Why Determinism Is Still a Necessity in Security
Aikido Security's Blog
AI scanning finds what rules miss. Deterministic scanning finds it every time. Here's why the best security pipelines don't choose between them.Category: Engineering
4ヶ月前

WAF vs. RASP vs. ADR
Aikido Security's Blog
WAF, RASP, and ADR protect your app in completely different ways. Here's what each layer actually does, where it falls short, and which ones you need.Category: Guides
4ヶ月前

Introducing Aikido Infinite: A new model of self-securing software
Aikido Security's Blog
Aikido Infinite runs AI penetration testing on every code change, validates exploitability, generates patches, and retests fixes before code hits production, making self-securing software a reality.Category: Product & Company Updates
5ヶ月前

How Aikido secures AI pentesting agents by design
Aikido Security's Blog
Learn how Aikido secures AI pentesting agents with architectural isolation, runtime scope enforcement, and network-level controls to prevent production drift and data leakage.Category: Product & Company Updates
5ヶ月前

Astro Full-Read SSRF via Host Header Injection
Aikido Security's Blog
Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. Learn how Host header injection in prerendered error pages allowed full internal network access.Category: Vulnerabilities & Threats
5ヶ月前

How to Get Your Board to Care About Security (Before a Breach Forces the Issue)
Aikido Security's Blog
Boards don’t fund security because it’s important. They fund defensible decisions. Here’s how to frame risk, reduce ambiguity, and win real support before a breach forces the issue.Category: Guides
5ヶ月前

What is Slopsquatting? The AI Package Hallucination Attack Already Happening
Aikido Security's Blog
AI models hallucinate npm package names. Attackers register them first. Here's what slopsquatting is, how it's spreading through agent skills, and how to protect yourself.Category: Guides & Best Practices
5ヶ月前

SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel
Aikido Security's Blog
SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if you’re vulnerable and how to mitigate risk.Category: Vulnerabilities & Threats
5ヶ月前

Top 6 Wiz Code Alternatives
Aikido Security's Blog
Looking for Wiz Code alternatives? Compare 6 tools across SAST, DAST, SCA, pricing, and developer experience to find the best AppSec platform for 2026.Category: Guides & Best Practices
5ヶ月前

Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report
Aikido Security's Blog
Aikido Security recognized as Platform Leader, AI Pentesting Innovator, and Supply Chain Innovator in Latio Tech’s 2026 AppSec Report.Category: News
5ヶ月前

From detection to prevention: How Zen stops IDOR vulnerabilities at runtime
Aikido Security's Blog
IDOR vulnerabilities are one of the most common causes of cross-tenant data leaks in multi-tenant SaaS. Learn how Zen enforces tenant isolation at runtime by analyzing SQL queries and preventing unsafe access before it ships.Category: Product & Company Updates
5ヶ月前