TL;DR: Aikido Intel is a real-time supply chain intelligence feed. It detects both malware and vulnerabilities in open-source ecosystems. Aikido's world-class researchers maintain our LLM-powered pipeline to find malware and validate the most malicious cases by hand. The vulnerability detection system monitors package changes across ecosystems to catch and document vulnerabilities that don’t have CVEs assigned. Most other companies that work in this space may document vulnerabilities or malware, but not both. Aikido covers both so that Intel users can get the full picture when it comes to securing their infrastructure.
Software engineering today runs on inherited trust that attackers exploit. While malware is as old as software itself, today it can be distributed through open-source dependencies. Currently, registry maintainers find malware when they can, but many are run by small teams, and often have to wait for reports from users to come in. The CVE databases like the NVD and the scanners built on top of them were not made for malware, just vulnerabilities. For teams using OSS, which is most people writing software today, there wasn’t an up-to-date malware database.
Aikido Intel is the answer to the problem. It's a real-time, open feed that tracks both malware and undisclosed vulnerabilities across open-source ecosystems. It monitors more than four million packages and reads new releases as they go live, which is how we end up first to a large share of the supply chain attacks that later get substantial news coverage.
We're frequently among the first to catch an attack, generally within only a few minutes of a malicious version going live. Other feeds get there too, and there are finds we catch that they miss.
Intel runs two tracks. The malware track examines the packages themselves. When a new version hits a registry, Intel pulls it apart and works out whether it is actively trying to hurt you. The vulnerability track reads how open-source projects change over time, looking at the security fixes maintainers ship whether or not they announced them, by reading the code change itself instead of waiting for a disclosure.
In this post, we’ll look specifically at the malware side of Intel, and how Intel catches malware quickly and accurately to provide an accurate feed for our customers and the larger security community.
We watch everything in real-time (and it’s a lot of stuff)
Intel watches package registries continuously. Every time a new version is published, it gets pulled in and analyzed within minutes. It happens as packages go live, not on a daily scan and when someone files a report.
In the second quarter of 2026, Aikido Intel analyzed around 7.5 million package versions. Between our automated systems and human researchers, we confirmed 19,500 malicious packages. We identify the majority of malicious packages in under 8 minutes from release to analysis, but even faster in many cases.
We combine the benefits of traditional static malware analysis methods with AI analysis, which allows us to process hundreds of thousands of packages every day. We also have world-class security researchers across the globe who manage the system and inspect packages to confirm the most complex and dangerous cases by hand. We care about accuracy, so we have designed our system to catch the sneakiest packages while reducing false positives, so we don’t sound the alarm unnecessarily. We’ll cover more about how the system works in detail shortly.
Leading malware research
Few security teams have the kind of proximity to live attacks that Aikido’s research team has. Over the past year, Intel and our research team were among the first to surface several of the largest supply chain campaigns to hit npm.
When the s1ngularity attack hijacked the Nx toolchain in August 2025 to steal credentials through a poisoned GitHub Action, we caught it early. We were among the first to report the Shai-Hulud worm that followed. When its more dangerous second wave hit high-profile packages from Zapier, PostHog, and ENS Domains that November, we led the research again. Charlie Eriksen, Aikido’s lead security researcher, validated and published the list of 400+ infected npm packages during the second wave of the Shai-Hulud campaign, including packages with over 1.5m weekly downloads. His analysis was detailed enough that other research teams used it to corroborate their own.
The team’s work is regularly cited by KrebsOnSecurity and other top security outlets. And so intertwined are Aikido and malware research that one threat actor that Eriksen had been tracking even left notes in the malware source code for him to find.
Aikido Intel has even caught signs of an attack before the attack launched. In late December, Intel and our researchers caught a new Shai-Hulud strain while the attacker was still testing it, ahead of any real spread. We flagged it, the security press ran the story crediting our team, and the testing payload went nowhere. That is what an early warning is supposed to look like. However, you won’t see us posting or announcing every find on Twitter, because many finds are obvious spam, typosquatting, or obscure packages. We want to respect your time and attention by only posting attacks that require action on your part to keep you safe. If you have Aikido set up on your infrastructure, all of these will surface in your dashboard, including any that you already have them installed.
As a result of our research and speed, Intel is recognized by the industry. In its 2026 AppSec report, the independent analyst Latio named Aikido a platform leader and singled out Intel's work surfacing open-source vulnerabilities before they reach any public database, including ones that never get a CVE. Anyone can check our work if they create a free account with us.
Aikido Intel is also trusted by the open-source community to help keep users safe. Intel protects Packagist, the PHP registry. All downloads from Packagist through Composer are checked against the Intel database. If Intel has flagged the package as malicious, Composer will stop the download.
How Aikido Intel catches malware
We’ll look in closer detail into how our system works. It can seem a little complicated, but the short version is that Intel monitors ecosystems for new package versions. Those packages enter the malware pipeline, where first the package is extracted and deobfuscated. The output is run against static rules developed by our security researchers, and these rules, as well as some dynamic AI-based analysis for npm specifically, categorize the majority of packages as malware or safe. For trickier cases, an AI runs additional analyses, and if that AI can’t confirm a package is safe, our security researchers review the package by hand to make the final verdict.

Intel starts reviewing the moment a package is published
Intel watches registries continuously, so the moment a new package or version goes up, it gets pulled in for analysis. This is the real-time part, and it's where the speed comes from. We look at many ecosystems, which currently include npm, PyPI, GitHub Actions, Packagist, Ruby, VS Code, Open VSX, JetBrains, Visual Studio, NuGet, Maven, CPAN, Chrome, Firefox, Edge, Rust, Go, WordPress, Skills, and Drupal.
Extraction and deobfuscation
At this point, Intel unpacks the package, reads its metadata, and pulls the curtain away to expose any nonsense encoding and obfuscation. Attackers lean on base64, minification, and layered encoding to keep their payload from being read, so this step peels all of that back until the real code is visible. Nothing here decides whether the package is malicious yet; it just makes sure that when the analysis runs, it's looking at what the code actually does rather than what it looks like at surface level. This step feeds everything downstream.
Static rules and dynamic analysis explore what's in the package
The first layer is fast pattern matching over the package contents. The engine leverages different malware recognition systems, including Opengrep (of which we are lead maintainers) and YARA-X from Google, which is commonly used in classic antivirus engines. Our security team writes and maintains a large set of rules in-house that look for the building blocks of malicious behavior. These include old attack patterns as well as new ones that attackers keep innovating on. This includes things like credential theft, exfiltration, loaders, and crypto-miners for malware. Potentially sketchy behavior could include:
- An install script that fetches code from a remote URL and runs it
- Code that reaches into browser profile directories where saved passwords live
- Code that reads SSH keys or cloud credentials
- An executable hidden inside what's supposed to be a JavaScript bundle
Each rule that fires is a signal. On its own, one signal rarely means much, since plenty of normal packages open network connections or read files, so Intel has to look at them together.
Static rules tell you what code is present, but not everything that it does when it runs, and attackers put effort into hiding until a package runs. For npm packages in particular, Intel detonates packages in a sandbox and records how they behave, including the connections they run and the files they open. A package can scramble its payload however it likes, but if it runs curl against an unknown host on install or pokes around for a file under ~/.aws/, we’re going to catch it red-handed.
Based on the static rules and dynamic analysis, Intel categorizes the packages as safe, definitely malware, or potential malware. Some packages are very clearly problematic, based on patterns we may have seen before or the types of behaviors they exhibit, while others are clearly innocuous. These packages that have really clear-cut detections resolve automatically and reach the feed extremely fast, sometimes within a minute or two of a package going up. Those that are identified as “potential malware” but not confirmed need more investigation.
AI investigates the harder cases
By now Intel has a stack of signals, some from the code, some from behavior. In this step, an muAI layer reads all of it together by following the code across files to remove any false positives. A real attack usually spreads across files, and you can only tell that it’s dangerous when you look at the whole picture. A common credential stealer could include a script with a preinstall hook, separate modules sending data externally, or the setup script reading something sensitive like an SSH private key. Any one of those files alone is unremarkable. But if we follow the path from the install hook to the credential read to the network call, it could be a complete attack chain.
The AI builds that path and reasons about the behavior it describes to reach a verdict. When a package looks hostile, the AI agent keeps pulling threads to see if hostile behavior indeed shows up. If the package is totally safe, it marks it as such and removes it from the queue. The cases that the AI can't cleanly rule out as safe go to our research team.
A human reviews the hardest cases
The hardest cases are handed to our security researchers, who confirm the verdict before it's published. Reserving human review for the cases that actually need judgment is what lets Intel be fast and accurate at the same time. Researchers combine multiple signals, running their own AI tooling built for malware analysis and going through the code by hand. Their manual pass checks what the AI produced so nothing half-baked reaches the feed, and it catches anything automation may miss.
Researchers also constantly monitor the system and review the AI’s output. They use this to create new static rules, tuning the system to obtain better signals and higher confidence verdicts. This continuously improves the system and reduces the time from first look to confirmed results.
We have researchers in Europe, North America, and Australia who keep a round-the-clock eye on the pipeline and the packages that need special attention. Almost all malicious packages are caught in minutes, with the median package caught in under 6 minutes and often much faster. Once confirmed, findings immediately end up on our feed.
What about vulnerabilities?
With NIST no longer pretending to keep up with the volume of CVE submissions, the industry can’t rely on government-run vulnerability databases. Aikido Intel finds and documents new undisclosed vulnerabilities to pick up the mantle and provide the community somewhere to turn to. Aikido Intel monitors open-source projects’ records to look for updates that may indicate security changes, and AI agents investigate potential security patches in newer versions. If the issue isn't documented anywhere, one of our security engineers reviews it, validates it, and we publish an advisory with an Aikido Vulnerability ID and a severity score, so you know whether you're affected. We’ll save the full explanation for how our vulnerability detection works for another article.
Building resilient security
Most malicious packages do most of their damage during installation. The window between a version going up and Intel catching it is the window you're exposed in, and we keep it short. However, we believe that while catching malware quickly is important, we also strongly believe in building software pipelines that aren’t susceptible to downloading new malware. Because of how fast detection is, most malicious packages are pulled from registries within a few hours of going up. We highly recommend holding off a day or two before you adopt a brand-new release to give the security community time to fully review a package as well as for any other serious bugs to come up, instead of auto-updating. This will protect you more than trying to optimize your response time to the constant bombardment of malware and low-quality packages.
To harness the full power of Aikido Intel, consider using Aikido Safe Chain— a free, open source tool you can install to keep you safe from malware downloads. Powered by Aikido Intel, it sits on your computer, beside your package manager. When you try to install a package from npm that is either confirmed malware or less than 24 hours old, Safe Chain blocks it, so you don’t have to worry about accidentally getting pwned by installing the wrong package at the wrong time. Aikido’s Device Protection is the enterprise version that protects all developer endpoints across your organization.
Aikido Intel is built for the security world today. It detects malware based on what packages do, not just signatures of things already known to be bad, which means novel attacks get caught. With a combination of static rules, AI, and top-notch security researchers, we catch almost all malicious packages in minutes.
The feed is available to view for free for Aikido users. You can browse it and search for any package. Have a look at intel.aikido.dev.
{cta}

