Welcome to our blog.

GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays

A newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers, turning them into relay nodes for LLM traffic.

Roundcube XSS chained with cookie tossing for full inbox access

We found a stored XSS in Roundcube's draft attachment endpoint that, chained with a cookie tossing technique, gives an attacker full access to a victim's inbox. Here's how the exploit chain works and how it was patched

Introducing Endpoint Protection: Security for Developer Devices

Aikido Endpoint: Security for Developer Devices | Aikido

Supply chain attacks target developer devices. Aikido Endpoint monitors every install across npm, PyPI, VS Code extensions, browser extensions, and AI tools.

Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow

Multiple XSS Vulnerabilities Found in Mailcow, Including Unauthenticated Account Takeover

Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.

Aikido's AI pentesting agents found three XSS vulnerabilities in Mailcow, a widely used self-hosted email server. The most severe allowed unauthenticated attackers to inject a payload into Autodiscover logs that would execute when an admin viewed them, enabling full account takeover. All three have been fixed since version 2026-03b.

Reliable CVE sources in the age of NIST NVD cutbacks

NIST NVD changes 2026: what security teams need to know

NIST will no longer enrich most CVEs. Here's what changes, what breaks, and what comes next.

Axios CVE-2026-40175: a critical bug that’s… not exploitable

Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.

Bug bounty isn’t dead, but the old model is breaking

Bug bounty is hitting a breaking point as AI overwhelms programs, pushing a shift toward more sustainable, quality-focused security models.

Technical

GlassWorm goes native: New Zig dropper infects every IDE on your machine

GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.

Aikido Attack finds multiple 0-days in Hoppscotch

Aikido Attack Finds 0-Days in Hoppscotch

Aikido’s AI pentesting agents discovered multiple high-severity vulnerabilities in Hoppscotch, including account takeover, stored XSS, and access control flaws. All issues are now patched.

Aikido Attack identified three high-severity vulnerabilities in Hoppscotch: an open redirect leading to account takeover, stored XSS, and a broken access control issue allowing cross-team request injection.

The cybersecurity doomerism around Mythos doesn't match what we see on the ground

Anthropic Mythos Cybersecurity Risks: What 1,000 AI Pentests Actually Show

Anthropic's leaked Mythos model has triggered panic about AI-powered cyberattacks. We ran 1,000 AI penetration tests. The results suggest the threat is more nuanced than the headlines claim.

axios compromised on npm: maintainer account hijacked, RAT deployed

Malicious axios versions 1.14.1 and 0.30.4 were published via a hijacked maintainer account. A hidden dependency deploys a cross-platform RAT. Check if you are affected and remediate now.

Axios was compromised. Malicious axios versions 1.14.1 and 0.30.4 were published to npm after the lead maintainer's account was hijacked. The injected dependency deploys a cross-platform RAT that self-destructs after execution.

Aikido × Lovable: Vibe, Fix, Ship

Lovable Partners with Aikido to Bring Pentesting to Vibe-Coded Apps

Lovable and Aikido bring pentesting into the platform, allowing builders to simulate real-world attacks and fix issues before shipping.

Aikido brings pentesting directly into Lovable. Test your app by simulating real attacks and fix issues before you ship.

CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran

TeamPCP deploys CanisterWorm on NPM following Trivy compromise

Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM

Frost & Sullivan recognized Aikido with the 2026 Customer Value Leadership Award in ASPM. We break down what the recognition criteria reveal about how the AppSec market is maturing

GlassWorm Hides a RAT Inside a Malicious Chrome Extension

GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)

GlassWorm deploys a multi-stage RAT that force-installs a malicious Chrome extension to log keystrokes, steal cookies, and exfiltrate data via Solana-based C2.

Security testing is validating software that no longer exists

Why Pentesting Can’t Keep Up: The Speed Problem in Security Testing

Modern teams ship faster than pentesting can keep up. Explore the growing speed gap in security testing—and why traditional approaches are falling behind.

A CISO at a large enterprise told us the most important security capability today is speed. But what happens when testing can’t keep up with how fast systems change?

fast-draft Open VSX Extension Compromised by BlokTrooper

fast-draft Open VSX Extension Compromised by BlokTrooper (RAT & Infostealer)

The fast-draft Open VSX extension was compromised to deploy a BlokTrooper RAT and infostealer via GitHub-hosted payloads. Multiple malicious versions identified.

Glassworm Strikes Popular React Native Phone Number Packages

Glassworm Strikes Popular React Native Phone Number Packages in a New Supply Chain Attack

Aikido Security researchers recovered and decrypted the full payload chain from two malicious React Native packages. Here's what the malware does and what to look for.

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories

Glassworm Returns: Invisible Unicode Malware Found in 150+ GitHub Repositories

The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.

Glassworm is back with a new wave of invisible Unicode attacks. We’re tracking a fresh campaign quietly compromising repositories across GitHub, npm, and VS Code.

Top RSAC 2026 Parties, Side-Events & Security Meetups

RSAC 2026 Parties & Security Events Guide | Aikido

How Security Teams Fight Back Against AI-Powered Hackers

AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.

A single hacker and a Claude subscription just took down nine Mexican government agencies. AI has handed attackers a serious power upgrade. Security teams need a new playbook.

Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks

Betterleaks: The Gitleaks Successor Built for Faster Secrets Scanning

Betterleaks is a new open source secrets scanner from the creator of Gitleaks. A drop-in replacement with faster scans, token efficiency detection, configurable validation, and more.

The creator of Gitleaks is launching its successor. Betterleaks is a faster open source secrets scanner built to catch more leaks and fit modern developer workflows.

How does AI pentesting work with compliance?

AI pentesting is being accepted for SOC 2, ISO 27001, and HIPAA (with more likely to come). Here's what auditors actually look for, and where the real limitations are.

AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.

Compliance

Trump’s 2026 cybersecurity strategy: From compliance to consequence

Trump’s 2026 Cybersecurity Strategy: From Compliance to Consequence

The Trump administration’s 2026 cybersecurity strategy shifts the focus from compliance checklists to real consequences for cybercriminals. Here’s what CISOs need to know.

What continuous pentesting actually requires

Continuous pentesting: how it works and what it requires

Continuous pentesting promises real-time security validation, but most implementations fall short. Here’s what continuous pentesting actually requires—from change-aware testing to exploit validation and remediation loops.

Continuous pentesting is widely discussed, but rarely defined clearly. This piece breaks down what it is, what it isn’t, and what it actually requires.

Rare Not Random: Using Token Efficiency for Secrets Scanning

Entropy often struggles with generic secrets and short strings. We look at how token efficiency can better identify strings that don’t look like normal text.

Entropy is great at spotting randomness. But secrets aren’t always random. They’re just strings that don’t show up in normal code or text. We explore using BPE tokenization to measure that difference.

Why Determinism Is Still a Necessity in Security

AI scanning finds what rules miss. Deterministic scanning finds it every time. Here's why the best security pipelines don't choose between them.

AI-powered security tools are getting better at finding vulnerabilities. But deterministic tools give you the consistency that pipelines, compliance, and audit trails depend on. We look at what deterministic scanning does well, where AI takes over, and how the two work together for effective security.

Engineering

WAF vs. RASP vs. ADR

WAF vs. RASP vs. ADR: How Runtime Application Security Works

WAF, RASP, and ADR protect your app in completely different ways. Here's what each layer actually does, where it falls short, and which ones you need.

WAF, RASP, ADR, eBPF — We're clearing up the terminology around runtime application security. Here's what each layer actually does, how they overlap, and how they fit together

Guides

Introducing Aikido Infinite: A new model of self-securing software

Aikido Infinite: Continuous AI Pentesting for Every Release

Aikido Infinite runs AI penetration testing on every code change, validates exploitability, generates patches, and retests fixes before code hits production, making self-securing software a reality.

Persistent XSS/RCE using WebSockets in Storybook’s dev server

Persistent XSS/RCE using WebSockets in Storybook (CVE-2026-27148)

CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise. Learn the attack path, impact, and how to remediate.

Aikido Attack found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. We walk through how an attacker can exploit this without any user interaction at all, and a developer just has to visit the wrong website while to run into this attack.

How Aikido secures AI pentesting agents by design

How Aikido Secures AI Pentesting Agents and Prevents Scope Drift

Learn how Aikido secures AI pentesting agents with architectural isolation, runtime scope enforcement, and network-level controls to prevent production drift and data leakage.

AI agents are built to explore. In cybersecurity, that exploration needs strict boundaries. This article explains how Aikido secures AI pentesting agents through architectural isolation, runtime scope enforcement, and layered controls that contain risk by design.

Astro Full-Read SSRF via Host Header Injection

Astro SSRF Vulnerability: Host Header Injection in SSR Error Pages (CVE-2026-25545)

Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. Learn how Host header injection in prerendered error pages allowed full internal network access.

Aikido's AI pentesting agent discovered an SSRF vulnerability in Astro's Node.js adapter. We'll look at how by injecting a malicious Host: header, attackers could redirect an internal request to any URL on the local network.

How to Get Your Board to Care About Security (Before a Breach Forces the Issue)

How to Get Your Board to Care About Security Before a Breach

Boards don’t fund security because it’s important. They fund defensible decisions. Here’s how to frame risk, reduce ambiguity, and win real support before a breach forces the issue.

Guides

What is Slopsquatting? The AI Package Hallucination Attack Already Happening

Slopsquatting: The AI Package Hallucination Attack Already Happening

AI models hallucinate npm package names. Attackers register them first. Here's what slopsquatting is, how it's spreading through agent skills, and how to protect yourself.

AI models hallucinate package names — and attackers are registering them before anyone notices. Slopsquatting is the AI-era evolution of typosquatting, and unlike its predecessor, npm's existing protections don't work. We look at the real-world research showing it's already happening, from confirmed malicious packages still pulling hundreds of weekly downloads to a hallucinated package name that spread to 237 repositories through AI agent skill files.

Top 6 Wiz Code Alternatives

Wiz Code Alternatives (2026): 6 Tools Compared and Best Developer-First Option

Looking for Wiz Code alternatives? Compare 6 tools across SAST, DAST, SCA, pricing, and developer experience to find the best AppSec platform for 2026.

This guide compares Wiz Code against six alternatives: Aikido Security, Snyk, Checkmarx, GitHub Advanced Security, Mend, and Veracode, evaluated on coverage, developer experience, AI-powered triage, pricing transparency, and deployment speed. Aikido Security comes out on top for teams wanting a developer-first platform with broad coverage, 85% false positive reduction, AI AutoFix across SAST, IaC and containers, native DAST, and transparent pricing at roughly one-tenth the cost of Wiz.

Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report

Aikido Named AppSec Platform Leader in Latio 2026 Report

Aikido Security recognized as Platform Leader, AI Pentesting Innovator, and Supply Chain Innovator in Latio Tech’s 2026 AppSec Report.

Latio Tech’s 2026 AppSec Report names Aikido a Platform Leader and AI Innovator. Here’s what the report reveals about the future of application security.

From detection to prevention: How Zen stops IDOR vulnerabilities at runtime

From Detection to Prevention: Zen Stops IDOR at Runtime | Aikido

IDOR vulnerabilities are one of the most common causes of cross-tenant data leaks in multi-tenant SaaS. Learn how Zen enforces tenant isolation at runtime by analyzing SQL queries and preventing unsafe access before it ships.

IDOR vulnerabilities are a leading cause of cross-tenant data leaks in multi-tenant applications. In this post, we explain how Zen moves beyond detection and enforces tenant isolation at runtime, making cross-tenant access impossible to ship by accident.

npm backdoor lets hackers hijack gambling outcomes

npm supply chain attack hijacks game backend to rig gambling outcomes

A targeted npm supply chain attack installs an Express backdoor, enables remote SQL/file access, and rewrites gambling balances while keeping logs consistent.

We uncovered malicious npm packages that can modify gambling transactions in production, and keep the database internally consistent afterward.

Why Trying to Secure OpenClaw is Ridiculous

OpenClaw's security issues explained: malware in ClawHub, exposed instances, and why hardening guides miss the point. Can you use the AI agent safely??

Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code

Upgrade Impact Analysis: When Breaking Changes Actually Matter | Aikido

Aikido automatically detects breaking changes in dependency upgrades and analyzes your codebase to show real impact, so teams can merge security fixes safely.

Aikido’s Upgrade Impact Analysis flags breaking changes in dependency updates and shows whether those changes actually impact your code.

Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security?

Claude Opus 4.6 Found 500 Vulnerabilities: What It Means for Software Security

Anthropic claims Claude Opus 4.6 uncovered 500+ high-severity vulnerabilities in open source. Here’s what that means for vulnerability discovery, exploitability validation, and production security workflows.

Claude Opus 4.6 reportedly found 500+ high-severity vulnerabilities in open source. This piece examines what that actually changes in production, where LLM reasoning helps, and why validation and reachability still determine real security impact.

Introducing Aikido Expansion Packs: Safer defaults inside the IDE

Aikido Expansion Packs: Safer Defaults Inside the IDE

Aikido Expansion Packs add focused security controls directly inside your IDE. Enable secrets protection, supply chain malware checks, and AI-assisted code security without changing developer workflows.

International AI Safety Report 2026: What It Means for Autonomous AI Systems

International AI Safety Report 2026: Aikido Security Analysis

Aikido Security's analysis of the International AI Safety Report 2026. We examine deployment-time controls, validation requirements, and practical safety baselines for autonomous AI systems.

Over 100 experts contributed to the International AI Safety Report 2026, documenting risks from autonomous AI systems and proposing defense-in-depth frameworks. As a team operating AI pentesting systems in production, we break down where the report gets it right and where it needs more technical specificity.

Self-Securing Software: What It Is, Why It Matters, and How It Works

What Is Self-Securing Software? A New Security Model for Modern Software

Self-securing software is a security model where systems continuously validate and remediate real risk as they change. Learn why periodic testing no longer scales.

Self-securing software treats security as a built-in system capability, not a periodic process. This article explains why modern software demands a new security model and what makes it possible today.

Secure SDLC for Engineering Teams (+ Checklist)

Secure SDLC Explained: The 5 Pillars of a Secure Software Development Lifecycle

Learn what a Secure SDLC is, why it matters, and the five pillars every team needs. Includes a practical Secure SDLC checklist for CTOs and engineering leaders.

Top 10 AI Security Tools For 2026

Top 10 AI Security Tools for 2026: Features, Pros, and Comparisons

Explore the top AI security tools for 2026. Compare platforms for AI code review, vulnerability detection, pentesting, and risk management to secure modern applications.

Top 10 Cyber Security Tools For 2026

Top 10 Cybersecurity Tools for 2026: Detection, Cloud, XDR & AppSec

A practical breakdown of the top 10 cybersecurity tools for 2026, covering endpoint, cloud, identity, vulnerability management, and XDR. Learn how to choose the right tool for your stack and risk profile.

What Is Continuous Pentesting?

What Is Continuous Pentesting? How Modern Teams Reduce Exploitable Risk

Continuous pentesting automatically tests real attack paths every time software changes, validating and fixing issues as part of the development lifecycle. Learn how it compares to AI and manual pentesting.

Continuous pentesting treats security as a living system, not a one-off test. Learn how modern teams use it to reduce exploitable risk as software changes.

npx Confusion: Packages That Forgot to Claim Their Own Name

We claimed 128 unclaimed npm package names that official docs told developers to npx. Seven months later: 121,000 downloads. All would have run arbitrary code.

Official documentation tells developers to run `npx package-name`. But what if nobody claimed that name? We registered 128 of them and watched. 121,000 downloads in seven months. The holiday dip proves they're real developers, not bots.

Introducing Aikido Package Health: a Better Way to Trust Your Dependencies

Aikido Package Health: Health Score for Open Source Packages

See how stable and well-maintained an open source package really is. Aikido Package Health helps devs choose safer dependencies with confidence.

AI Pentesting: Minimum Safety Requirements for Security Testing

When Is AI Pentesting Safe? Minimum Safety Requirements for Security Testing

AI pentesting systems act autonomously against live environments. Learn when AI pentesting is safe to use, the minimum technical safeguards required, and how to evaluate AI security testing tools responsibly.

AI pentesting is already here, but clear safety expectations are not. This article defines a minimum safety standard for AI pentesting, giving teams a concrete baseline to evaluate emerging tools.

Fake Clawdbot VS Code Extension Installs ScreenConnect RAT

A malicious VS Code extension impersonating Clawdbot is installing ScreenConnect RAT on developer machines.

The Top 7 Threat Intelligence Tools in 2026

Top 7 Threat Intelligence Tools in 2026: Cut Noise and Focus on Real Risk

A deep dive into the top threat intelligence tools of 2026, comparing how they reduce alert fatigue, add context, and help teams prioritize real-world security risks.

Top 14 VS Code Extensions for 2026

Top 14 VS Code Extensions for 2026: Productivity, Testing, Security, and Collaboration

A practical guide to the best VS Code extensions for 2026, covering productivity, testing, collaboration, and security tools that improve real-world developer workflows.

G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets

npm package ansi-universal-ui delivers GWagon infostealer targeting 100+ crypto wallets, browser credentials, and cloud keys. We analyzed all 10 versions as the attacker iterated in real-time.

Pentest GPT: How LLMs Are Reshaping Penetration Testing

Pentest GPT: How AI Is Changing Penetration Testing

Explore how Pentest GPT uses LLMs to automate attack reasoning, simulate real exploits, and scale testing. See how Aikido validates every finding.

Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages

A targeted spear-phishing campaign used npm packages and jsDelivr as free phishing infrastructure, serving custom credential harvesters per victim

Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT

Attackers published fake spellchecker packages to PyPI with malware hidden in plain sight. We break down the attack and what developers need to watch for.

SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel

SvelteSpill: Critical Cache Deception Bug in SvelteKit + Vercel

SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if you’re vulnerable and how to mitigate risk.

Our AI pentesting system discovered and reproduced a high-severity vulnerability in default SvelteKit deployments on Vercel. Here’s how it traced a cross-layer flaw across 150,000 lines of code.

Agent Skills Are Spreading Hallucinated npx Commands

AI agent skills are propagating hallucinated npx commands, creating real security and reliability risks for developers and supply chains.

Understanding Open-Source License Risk in Modern Software

Open-source license risk hides in dependencies and container images. Learn what it is, why it matters, and how to catch issues early.

Open source moves fast, but its licenses still have rules. This piece breaks down what open-source license risk is, why teams keep missing it in modern dependency trees, and how to stay compliant without turning it into a legal fire drill.

The CISO Vibe Coding Checklist for Security

CISO Vibe Coding Checklist: Securing AI-Built Apps

A practical security checklist for CISOs managing AI and vibe-coded applications. Covers technical guardrails, AI controls, and organizational policies.

AI-powered vibe coding lets anyone ship software. This post outlines the security risks CISOs are facing and introduces a practical checklist, informed by CISOs at Lovable and Supabase.

From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B

Aikido Security Raises $60M at a $1B valuation

Aikido announces $60M Series B funding at a $1B valuation, accelerating its vision for self-securing software and continuous penetration testing.

Aikido becomes one of the fastest cybersecurity companies to reach unicorn status globally, and the fastest ever in Europe.

Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858)

n8n Critical Vulnerability (CVE-2026-21858) | Unauthenticated RCE Explained

A critical vulnerability in n8n (CVE-2026-21858) allows unauthenticated remote code execution on self-hosted instances. Learn who is affected and how to remediate.

AI-Driven Pentesting of Coolify: Seven CVEs Identified

Seven CVEs in Coolify Identified Through AI Pentesting | Aikido

AI-driven pentesting of Coolify identified seven CVEs, including privilege escalation and remote code execution vulnerabilities. Findings were responsibly disclosed and fixed.

Aikido

JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack

NeoShadow npm Supply-Chain Attack: JavaScript, MSBuild & Blockchain

A deep technical analysis of the NeoShadow npm supply-chain attack, detailing how JavaScript, MSBuild, and blockchain techniques were combined to compromise developers.

SAST vs SCA: Securing the Code You Write and the Code You Depend On

SAST vs SCA Explained: Securing Your Code and Dependencies

earn how SAST and SCA differ, what risks each addresses, and why modern AppSec teams need both to secure code and dependencies.

Technical

Top 6 Continuous Pentesting Tools in 2026

Discover the leading continuous pentesting tools that provide real-time, AI-powered security testing for modern applications.

How Engineering and Security Teams Can Meet DORA’s Technical Requirements

DORA Technical Requirements for Engineering & Security Teams

Understand DORA’s technical requirements for engineering and security teams, including resilience testing, risk management, and audit-ready evidence.

Compliance

IDOR Vulnerabilities Explained: Why They Persist in Modern Applications

IDOR Vulnerability Explained: Why Insecure Direct Object References Persist

Learn what an IDOR vulnerability is, why insecure direct object references persist in modern APIs, and why traditional testing tools struggle to detect real authorization failures.

Shai Hulud strikes again - The golden path

A new strain of Shai Hulud has been observed in the wild.

MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It

MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847)

MongoBleed, tracked as CVE-2025-14847, allows unauthenticated memory disclosure in MongoDB via zlib compression. See impact and remediation.

First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson

Maven Central Malware: Jackson Typosquatting Delivers Cobalt Strike Payload

We uncovered the first sophisticated malware campaign on Maven Central: a typosquatted Jackson package delivering multi-stage payloads and Cobalt Strike beacons via Spring Boot auto-execution.

The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security

A deep dive into a GitHub security flaw where forked commits let attackers spoof dependencies. Understand the commit SHA issue and why package managers need API-level protection.

SAST in the IDE is now free: Moving SAST to where development actually happens

Free SAST Scanning in Your IDE

Run free SAST scans directly in your IDE with real-time feedback and project-wide visibility. Use the same SAST rules and engine as Aikido, with optional AutoFix for supported findings.

AI Pentesting in Action: A TL;DV Recap of Our Live Demo

Aikido AI Pentesting: Live Demo Recap & FAQ

A recap of Aikido’s AI pentesting live demo. See how autonomous agents test real apps, validate findings, generate reports, and enable retesting.

Guides

Top 7 Cloud Security Vulnerabilities

Top 7 Cloud Security Vulnerabilities and How to Prevent Them

Discover the top seven cloud security vulnerabilities affecting modern environments. Learn how attackers exploit IMDS, Kubernetes, misconfigurations, and more, and explore strategies to protect your cloud infrastructure effectively.

How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams

Complying With the UK Cybersecurity & Resilience Bill | Security Guide

Learn how to meet the UK Cybersecurity & Resilience Bill requirements, from secure-by-design practices to SBOM transparency, supply chain security, and continuous compliance.

Compliance

React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell

React & Next.js DoS Vulnerability (CVE-2025-55184) Explained

CVE-2025-55184 is a React Server Components DoS flaw related to React2Shell. Learn who’s affected, how it works, and how to fully patch it.

Top Software Supply Chain Security Vulnerabilities Explained

Software Supply Chain Security Vulnerabilities

Understand the biggest software supply chain security vulnerabilities, from malicious packages to dependency confusion attacks.

Top 10 JavaScript Security Vulnerabilities in Modern Web Apps

JavaScript Security Vulnerabilities | Top Risks

Learn the most frequent JavaScript security vulnerabilities affecting frontend and backend apps, including real-world attack vectors.

Top 10 Python Security Vulnerabilities Developers Should Avoid

Python Security Vulnerabilities | Top Issues

A practical overview of the most common Python security vulnerabilities, insecure patterns, and dependency-related risks.

Top 10 Code Security Vulnerabilities Found in Modern Applications

Code Security Vulnerabilities | Common Risks

Explore the most common code security vulnerabilities developers introduce, why they happen, and how teams can catch them earlier.

Top 9 Kubernetes Security Vulnerabilities and Misconfigurations

Kubernetes Security Vulnerabilities | Top Risks

Learn the most critical Kubernetes security vulnerabilities, common misconfigurations, and why clusters are often exposed by default.

Top 10 Web Application Security Vulnerabilities Every Team Should Know

Web Application Security Vulnerabilities | Top Risks

Discover the most common web application security vulnerabilities, real-world examples, and how modern teams can reduce risk early.

OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know

OWASP Top 10 for Agentic Applications (2026): Full Guide to AI Agent Security Risks

Learn the OWASP Top 10 for Agentic Applications. Understand the top AI agent security risks, real-world examples, and how to harden your environment.

DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting

DAST vs Pentesting vs AI Pentesting: Key Differences Explained

Compare DAST, manual penetration testing, and AI pentesting. Learn where each approach works, where DAST falls short, and how AI pentesting enables deeper, continuous testing of modern applications.

Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials

Secret Detection Guide: Find & Prevent Leaks

Learn how secret detection works, what counts as a secret (API keys, tokens, creds), where teams leak them, and how to prevent exposure in git, CI, and production.

What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained

CSPM vs CNAPP: Cloud Posture Explained

A clear breakdown of CSPM and CNAPP: what they cover, how they reduce cloud risk, key features to look for, and how teams actually adopt them.

Detecting and Preventing Malware in Modern Software Supply Chains

Preventing Software Supply Chain Malware (Guide)

Explore how supply chain malware lands in modern codebases (typosquatting, dependency confusion, malicious updates) and the defenses that stop it early in CI/CD.

What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained

IaC Security Scanning for Terraform & Kubernetes

Understand IaC security scanning: how it detects cloud misconfigurations in Terraform/Kubernetes, what to prioritize, and how to prevent risky changes before deploy.

The Ultimate SAST Guide: What Is Static Application Security Testing?

Ultimate SAST Guide: Static Application Security Testing

A practical SAST explainer: how static application security testing works, what issues it finds, common pitfalls, and how to roll it out without drowning devs in noise.

Supply Chain Security: The Ultimate Guide to Software Composition Analysis (SCA) Tools

Supply Chain Security Guide: Best SCA Tools

Learn what SCA tools do, what they detect (vulnerable dependencies, licenses, malware), and how to choose the right software composition analysis solution for your stack.

Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now

Critical React & Next.js RCE Vulnerability CVE-2025-55182 Fix Guide

Learn how CVE-2025-55182 and the related Next.js RCE affect React Server Components. See impact, affected versions, and how to fix. Aikido now detects both issues.

PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents

Prompt Injection Inside GitHub Actions: The New Frontier of Supply Chain Attacks

AI-driven GitHub Actions expose new prompt-injection supply chain vulnerabilities.

Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame

Shai Hulud 2.0: What the Unknown Wonderer Reveals About the Attackers’ Endgame

New research into the Shai Hulud 2.0 malware suggests the username UnknownWonderer1 tells us more about the attackers’ endgame.

SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE

SCA in IDE: Scan and Fix Vulnerable Dependencies with AutoFix

Bring the full SCA workflow into your IDE with in-editor scanning and AutoFix. Detect vulnerable packages, review CVEs, and apply safe upgrades without leaving your development workflow.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

September 11, 2024

•

Product & Company Updates

Automate compliance with SprintoGRC x Aikido

Automate compliance with Aikido and SprintoGRC. Set up the integration today to put technical vulnerability management on autopilot.

Tags/

#Compliance

#SOC 2

September 10, 2024

•

Guides & Best Practices

Manual vs. Automated Code Review: When to Use Each

Tags/

#AppSec

#Code Quality

September 2, 2024

•

Guides & Best Practices

SAST vs DAST: What You Need to Know in 2026

What you need to know about SAST vs DAST.

Tags/

#SAST

#DAST

July 8, 2024

•

Product & Company Updates

Why we’re stoked to partner with Laravel

TL;DR Laravel helps PHP developers create their best work, now Aikido helps to secure it. Read all about becoming Laravel's preferred AppSec provider.

Tags/

#AppSec

June 27, 2024

•

Vulnerabilities & Threats

110,000 sites affected by the Polyfill supply chain attack

A critical supply chain attack has compromised over 110,000 websites via cdn.polyfill.io—remove it immedaitely to protect user data and app integrity.

Tags/

#Vulnerabilities

June 25, 2024

•

Guides & Best Practices

Cybersecurity Essentials for LegalTech Companies

LegalTech companies handle vast amounts of sensitive client data, making robust cybersecurity frameworks essential. Experts from Aikido Security, Amberlo, and Henchman emphasize the need for secure coding practices, compliance with industry standards like ISO 27001 and SOC 2, and continuous monitoring through innovative methods like bug bounty programs. As cyber threats evolve, so must the strategies to protect valuable legal data.

Tags/

#DevSecOps

#Legaltech

June 18, 2024

•

Product & Company Updates

Drata Integration - How to Automate Technical Vulnerability Management

How to become compliant without imposing a heavy workload on your dev team: Aikido and Drata integration automates technical vulnerability management. You'll better prepare for SOC 2 and ISO 27001:2022 while reducing false positives and saving time and money.

Tags/

#AppSec

#Vulnerabilities

June 11, 2024

•

Guides & Best Practices

DIY guide: ‘Build vs buy’ your OSS code scanning and app security toolkit

Yes, you can enhance your app security posture by patching together open-source code and container scanning tools—if you can handle the infrastructure.

Tags/

#Vulnerabilities

#open-source

#AppSec

June 4, 2024

•

Compliance

SOC 2 certification: 5 things we learned

What we learned about SOC 2 during our audit. ISO 27001 vs. SOC 2, why Type 2 makes sense, and how SOC 2 certification is essential for US customers.

Tags/

#Compliance

#SOC 2

May 28, 2024

•

Guides & Best Practices

We just raised our $17 million Series A

We've raised $17M to bring “no BS” security to devs. We’re happy to welcome Henri Tilloy from Singular.vc on board, who is again joined by Notion Capital and Connect Ventures. This round comes just 6 months after we raised $5.3M in seed funding. That’s fast.

Tags/

#AppSec

#DevSecOps

April 4, 2024

•

Guides & Best Practices

Webhook security checklist: How to build secure webhooks

Building webhooks in your SaaS? Use this webhook security checklist to make sure you're taking the necessary steps to protect your app and user data.

Tags/

#DevSecOps

March 24, 2026

•

Product & Company Updates

Aikido × Lovable: Vibe, Fix, Ship

Lovable and Aikido bring pentesting into the platform, allowing builders to simulate real-world attacks and fix issues before shipping.

Announcements

AI Penetration Testing

March 12, 2026

•

Product & Company Updates

Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks

Betterleaks is a new open source secrets scanner from the creator of Gitleaks. A drop-in replacement with faster scans, token efficiency detection, configurable validation, and more.

February 26, 2026

•

Product & Company Updates

Introducing Aikido Infinite: A new model of self-securing software

Aikido Infinite runs AI penetration testing on every code change, validates exploitability, generates patches, and retests fixes before code hits production, making self-securing software a reality.

AI Penetration Testing

Announcements

Self-securing Software

April 23, 2026

•

Vulnerabilities & Threats

Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm

Malware

April 22, 2026

•

Vulnerabilities & Threats

GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays

A newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers, turning them into relay nodes for LLM traffic.

Malware

April 8, 2026

•

Vulnerabilities & Threats

GlassWorm goes native: New Zig dropper infects every IDE on your machine

GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.

Malware

August 19, 2025

•

DevSec Tools & Comparisons

Top 12 Dynamic Application Security Testing (DAST) Tools in 2026

Discover the 12 top best Dynamic Application Security Testing (DAST) tools in 2026. Compare features, pros, cons, and integrations to choose the right DAST solution for your DevSecOps pipeline.

Tools

DAST

July 18, 2025

•

DevSec Tools & Comparisons

Top 13 Container Scanning Tools in 2026

Discover the best 13 Container Scanning tools in 2026. Compare features, pros, cons, and integrations to choose the right solution for your DevSecOps pipeline.

Tools

Container Scanning

July 17, 2025

•

DevSec Tools & Comparisons

Top 10 Software Composition Analysis (SCA) tools in 2026

SCA tools are our best line of defense for open-source security, this article explores the top 10 open-source dependency scanners for 2026

Tools

SCA