Aikido
Start for Free
No CC required

Welcome to our blog.

Featured
How to build a secure admin panel for your SaaS app
How to build a secure admin panel for your SaaS app
Avoid common mistakes when building a SaaS admin panel. We outline some pitfalls and potential solutions specifically for SaaS builders!
Avoid common mistakes when building a SaaS admin panel. We outline some pitfalls and potential solutions specifically for SaaS builders!
Guides & Best Practices
Willem Delbare
How to prepare yourself for ISO 27001:2022
How to prepare yourself for ISO 27001:2022
ISO 27001:2022 replaces ISO 27001:2013. Aikido helps you quickly comply with the new security controls so you and your customers can sleep at night.
ISO 27001:2022 replaces ISO 27001:2013. Aikido helps you quickly comply with the new security controls so you and your customers can sleep at night. This blog post walks you through the new requirements and how Aikido supports you.
Guides
Roeland Delrue
Preventing fallout from your CI/CD platform being hacked
Preventing fallout from your CI/CD platform being hacked
CI/CD is a prime target for hackers, so take steps that prevent fallout. Aikido Security identifies if your cloud is actively defending your CI/CD.
CI/CD is a prime target for hackers, so take steps that prevent fallout. Aikido Security identifies if your cloud is actively defending your CI/CD.
Guides
Willem Delbare
How to Close Deals Faster with a Security Assessment Report
How to Close Deals Faster with a Security Assessment Report
Aikido’s security assessment report enables startups to establish trust and credibility with leads and potential customers to close deals faster.
Guides & Best Practices
Felix Garriau
Automate Technical Vulnerability Management [SOC 2]
Automate Technical Vulnerability Management [SOC 2]
How to become compliant without imposing a heavy workload on your dev team
How to become compliant without imposing a heavy workload on your dev team
Guides
Willem Delbare
How does a SaaS startup CTO balance development speed and security?
SaaS Security for Startups: 7 Expert Tips By CTOs
As a CTO of multiple early-stage SaaS startups, I've learned some invaluable lessons on how to navigate the delicate dance between development speed and security.
Guides
Willem Delbare
Aikido Security raises €2 million pre-seed round to build a developer-first software security platform
Aikido Security Raises €2M Pre-Seed for Security Platform
Belgian SaaS startup Aikido Security has raised €2 million in pre-seed funding from angel investors who support its mission to simplify software security.
Belgian SaaS startup Aikido Security has raised €2 million in pre-seed funding from renowned angel investors who support its mission to simplify software security for developers.
Product & Company Updates
Felix Garriau
How a startup’s cloud got taken over by a simple form that sends emails
How a Hacker Gained Access to a Startup's Cloud by Email
This is the story of an attacker who gained access to a startup’s Amazon S3 buckets, environment variables, and various internal API secrets.
How a startup’s cloud got taken over by a simple form that sends an email
Engineering
Willem Delbare
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
June 1, 2026
News

Move over, Mythos. Here comes... pretty much any other model with a good harness

Mythos has real edges in exploit chain construction. But for most AppSec work, the harness around the model matters more than which model you pick.

No items found.
June 1, 2026
Vulnerabilities & Threats

Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm

Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.

#Malware

May 27, 2026
News

Aikido vs XBOW: 58% more vulnerabilities found in independent benchmark

We commissioned Doyensec to run a blind, independent benchmark of Aikido and XBOW on the same apps, at the same price. Aikido found 58% more verified vulnerabilities, and came out ahead on setup, speed and stability.

#AI Penetration Testing

#Self-securing Software

2026

2026 State of AI in Security & Development

Our new report captures the voices of 450 security leaders (CISOs or equivalent), developers, and AppSec engineers across Europe and the US. Together, they reveal how AI-generated code is already breaking things, how tool sprawl is making security worse, and how developer experience is directly tied to incident rates. This is where speed and safety collide in 2025.

Read more
Title card reading '2026 State of AI in Security & Development' on a dark blue grid background.

Subscribe to our newsletter.
No spam, guaranteed.

Vulnerabilities & Threats

Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.

See all

News

Our perspective on the stories shaping software security right now

See all

Customer Stories

See how teams like yours are using Aikido to simplify security and ship with confidence.

See all

Product & Company Updates

What’s new at Aikido—from product launches to big security wins.

See all

Guides & Best Practices

Actionable tips, security workflows, and how-to guides to help you ship safer code faster.

See all

Compliance

Stay ahead of audits with clear, dev-friendly guidance on SOC 2, ISO standards, GDPR, NIS, and more.

See all
AI
Aikido Device Protection
Aikido Endpoint
Aikido Zen
AI Penetration Testing
AI Safety
Announcements
API
AppSec
Article
ASPM
autofix
AutoTriage
AWS
Bazel
CircleCI
Cloud
cnapp
Code Quality
Codeship
Compliance
Container Scanning
Continuous Pentesting
Continuous Security Monitoring
CSPM
Cyber Resilience Act
DAST
Dependencies
DevSecOps
End of Life
European Cyber Security
fintech
IDE Security
IDOR vulnerabilities
IMDSv1
IMDSv2
Infrastructure as a Code IaC
intel
Legaltech
License Scanners
Malware
Network Security Monitoring
NIS2
NPM
open-source
OWASP
Pentesting
Pypi
RASP
SAST
SBOM
SCA
Secrets
Self-securing Software
SOC 2
Software Supply Chain Security
SQL Injections
SSDLC
SSRF
Threat Modeling
Tools
Triaging
usecase
Vibe Coding
VS Code
Vulnerabilities
Top 5 Tenable Nessus alternatives in 2026
Top 5 Tenable Nessus Alternatives in 2026 | Aikido Security
Tenable Nessus is a powerful scanner, but powerful tools that nobody uses don't make software more secure. Compare five alternatives built for how engineering teams actually work.
Tenable Nessus is a powerful infrastructure scanner, but powerful tools that sit disconnected from developer workflows are tools that nobody uses. This guide compares five alternatives built around developer workflow fit, AppSec breadth, cost, and remediation experience.
DevSec Tools & Comparisons
Why EDR and proxy won’t save you from supply chain malware
Why EDR and proxy won’t save you from supply chain malware
EDR and proxies weren't built for supply chain malware. When malicious code arrives through npm install, it looks like normal behavior. Here's why that matters.
EDR and proxies weren't built for supply chain malware. When malicious code arrives through npm install, it looks like normal behavior. Here's why that matters.
News
Move over, Mythos. Here comes... pretty much any other model with a good harness
Move over, Mythos. Here comes any model with a good harness.
Mythos has real edges in exploit chain construction. But for most AppSec work, the harness around the model matters more than which model you pick.
Mythos has real edges in exploit chain construction. But for most AppSec work, the harness around the model matters more than which model you pick.
News
Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.
Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.
Vulnerabilities & Threats
What MDM can't protect on developer machines (and what to do about it)
What MDM Can't Protect on Developer Machines
MDM tools like Jamf and Kandji are essential but they don't see npm installs, IDE extensions, or AI coding tools. Here's what's actually unprotected on your developer machines and how to close the gap.
Most security teams have MDM deployed. The problem is that npm installs, VS Code extensions, and AI coding tools happen completely outside MDM's view. Here's what's actually unprotected and how to close the gap.
Guides & Best Practices
Top GitGuardian alternatives for secrets scanning in 2026
Top GitGuardian Alternatives for Secrets Scanning in 2026
Compare the Top GitGuardian Alternatives for secrets scanning in 2026. See where Aikido Security, GitHub Secret Protection, TruffleHog, Gitleaks, Semgrep, Snyk, Cycode, Checkmarx, and GitLab fit best.
Compare the top GitGuardian alternatives for secrets scanning in 2026, including Aikido Security, Betterleaks, GitHub Secret Protection, TruffleHog, Semgrep, Snyk, Checkmarx One, and GitLab Secret Detection.
DevSec Tools & Comparisons
Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens
Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens
A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.
A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.
Vulnerabilities & Threats
Aikido vs XBOW: 58% more vulnerabilities found in independent benchmark
Aikido vs XBOW: 58% more vulnerabilities found in independent benchmark
Aikido vs XBOW compared in an independent benchmark by Doyensec. Aikido found 58% more vulnerabilities at the same price. See setup time, false positive rates & full results
We commissioned Doyensec to run a blind, independent benchmark of Aikido and XBOW on the same apps, at the same price. Aikido found 58% more verified vulnerabilities, and came out ahead on setup, speed and stability.
News
Why developer machines are now the number one target for supply chain attacks
Why Developer Machines Are the #1 Target for Supply Chain Attacks | Aikido
Teams at Omnea, Cognism, Glasswall, Raisin and the UK public sector reveal why EDR and MDM miss what's really happening on developer machines.
Engineering and security teams at Omnea, Cognism, Glasswall, and the UK public sector all independently flagged the same blind spot. This is what they're doing about it.
News
Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer
Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer
Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.
Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.
Vulnerabilities & Threats
5 Gitleaks alternatives and why they are better
5 Gitleaks Alternatives for Better Secrets Scanning in 2026
Looking for a Gitleaks alternative? We compare Betterleaks, TruffleHog, Aikido, GitHub Advanced Security, and Spectral so you can find the best secrets scanner for your team.
Gitleaks is no longer actively developed, and the secrets scanning landscape has moved fast. We compare the five strongest alternatives in 2026, including Betterleaks, TruffleHog, Aikido, GitHub Advanced Security, and Spectral, so you can find the right fit for your stack.
DevSec Tools & Comparisons
The Wild West of VS Code extensions and how a poisoned extension breached GitHub
The Wild West of VS Code extensions and how a poisoned extension breached GitHub
A poisoned VS Code extension breached GitHub yesterday, one day after Nx Console (2.2M installs) was compromised for 18 minutes on the Visual Studio Marketplace and reached every user with auto-update on.
Vulnerabilities & Threats
GitHub breached via a malicious VS Code extension: why developer devices are the real target
GitHub Breached via VS Code Extension | Developer Supply Chain Attack 2026
GitHub confirmed a poisoned VS Code extension compromised an employee device, exposing 3,800 internal repos. Why developer workstations are now the top supply chain target.
Vulnerabilities & Threats
Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systems
Vulnerabilities & Threats
Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages
Mini Shai-Hulud Strikes Again: npm Worm Compromises Hundreds of @antv Packages
The Mini Shai-Hulud npm worm has hit Alibaba's @antv packages, echarts-for-react, and timeago.js. The payload steals CI/CD secrets, plants backdoors in VS Code and Claude Code, and spreads by republishing compromised packages. Here is what happened and how to protect your team.
The Mini Shai-Hulud npm worm is back with its largest wave yet, compromising hundreds of packages across Alibaba's data visualization ecosystem. Our malware team is tracking over 2,700 rogue GitHub repos created with stolen tokens as the worm continues to spread.
Vulnerabilities & Threats
Penetration testing vs. red teaming: what’s the difference?
Penetration Testing vs. Red Teaming: What's the Difference?
Not sure whether you need a pentest or a red team engagement? This guide breaks down the key differences, when to use each, and how AI is changing both.
Penetration testing and red teaming are both ways to stress test your security, but they're not the same thing. This post breaks down how each works, when to use one over the other, and where AI pentesting is changing the equation.
Guides & Best Practices
Google API keys keep working after you delete them
Google API keys keep working after you delete them long enough to be exploited
Deleting a Google API key doesn't revoke it immediately. Our testing found successful authentications up to 23 minutes after deletion, and Google has declined to fix it.
Deleting a Google API key doesn’t revoke it immediately. Our testing found successful authentications up to 23 minutes after deletion, and Google declined to fix it.
Vulnerabilities & Threats
Shadow AI is a fear response, and banning it makes it worse
Why shadow AI risks start with fear (and banning makes them worse)
Employees aren't using unapproved AI tools to cause problems. They're scared of falling behind. Here's why banning shadow AI increases your security risk, and what to do instead.
Shadow AI is a fear response. Employees are hiding the tools they use because they're correctly reading a job market that demands AI skills. Here's why banning makes it worse, and what to do instead.
News
Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack
Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack
Mini Shai-Hulud is back, compromising 169 npm packages across TanStack, UiPath, Squawk, and more to steal developer and CI/CD secrets, then spread through trusted publishing workflows.
Vulnerabilities & Threats
The complete GitHub Actions security checklist
Security Checklist for GitHub Actions
GitHub Actions misconfigurations have been behind some of the biggest supply chain attacks of 2025 and 2026. Here's what went wrong and how to prevent them from happening to your org.
GitHub Actions misconfigurations have been behind some of the biggest supply chain attacks of 2025 and 2026. Here's a practical checklist of how to protect yourself from them.
Guides & Best Practices
Top OWASP scanners in 2026 for web application security
Best OWASP Scanners in 2026 for Web App Security
Most scanners don't cover the full OWASP Top 10. We break down the top OWASP scanners in 2026 so you can choose one that actually keeps you covered.
Most OWASP scanners don't cover the full Top 10. This guide breaks down the top tools in 2026, what each one actually covers, and which scanner delivers complete coverage without the noise.
DevSec Tools & Comparisons
Rolling out developer security in a 5,000+ engineer organization
Developer Security at Scale: A CISO's Rollout Guide
Most developer security rollouts fail because they're designed like software deployments, not cultural changes. A practitioner's guide for enterprise CISOs.
Most developer security rollouts fail because they're designed like software deployments, not cultural changes. Here's the phased model experienced CISOs converge on to fix that.
Guides & Best Practices
Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks
Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks
AppSec has flatlined under modern complexity. Project Glasswing and the Mythos era demand a security discipline that operates at the velocity of the threats it faces.
AppSec has flatlined under modern complexity. Project Glasswing and the Mythos era demand a security discipline that operates at the velocity of the threats it faces.
Guides & Best Practices
Why browser extensions are a major security risk and what you can do about it
Why browser extensions are a major security risk and what you can do about it
Browser extensions have lots of security risks, more than we care to admit. We discuss the full extent of the threat and what both individuals and organizations can do about it.
Guides & Best Practices
Top CVE scanners in 2026 to identify known vulnerabilities
Top CVE Scanners in 2026: Compared by Coverage, Intelligence, and Auto-Fix
We evaluated the top CVE scanners in 2026 on coverage breadth, intelligence sources, signal-to-noise ratio, and auto-fix capability. Here's how they compare and which is right for your stack.
Not all CVE scanners are built the same. We compared the top options in 2026 on coverage breadth, intelligence sources, signal-to-noise ratio, and auto-fix capability, so you can find the right fit for your stack.
DevSec Tools & Comparisons
Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud
Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud
Malware found in popular PyTorch Lightning version 2.6.2 and 2.6.3, stealing credentials, crypto wallets, and VPN configs as part of the Mini Shai-Hulud campaign.
Malware found in popular PyTorch Lightning version 2.6.2 and 2.6.3, stealing credentials, crypto wallets, and VPN configs as part of the Mini Shai-Hulud campaign.
Vulnerabilities & Threats
A practical CTO security checklist to be Mythos-ready
Mythos-Ready Checklist
A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.
Guides & Best Practices
Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files
Four published versions of a fake "tanstack" package uploaded in 27 minutes that want to steal your .env files
A fake "tanstack" npm package published four malicious versions in 27 minutes today, exfiltrating .env files via a postinstall hook. Here's what happened, who was affected, and how to rotate your credentials.
Vulnerabilities & Threats
Aikido integrates with AWS Kiro: Catching in review doesn't scale anymore
Aikido x Kiro | Catching in review doesn't scale anymore
AI agents writing your code. Aikido integrates directly into AWS Kiro's agentic workflow to keep security in the loop, automatically, from the first line. Aikido is AWS's first global security partner for Kiro.
AI agents writing your code. Aikido integrates directly into AWS Kiro's agentic workflow to keep security in the loop, automatically, from the first line. Aikido is AWS's first global security partner for Kiro.
Product & Company Updates
Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer
Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer
Compromised SAP npm packages use a Bun-based preinstall payload to steal GitHub, npm, cloud, and CI secrets, then spread via GitHub using OhNoWhatsGoingOnWithGitHub.
Vulnerabilities & Threats
It's time to treat browser extensions like supply chain attack vectors
It's time to treat browser extensions like supply chain attack vectors | Lessons learned from the Vercel breach
The Vercel breach followed a pattern the security industry knows well, where third-party code is implicitly trusted, then compromised upstream. We have a framework for that. We just haven't applied it to browser extensions yet. (Spoiler: We do this for software dependencies)
The Vercel breach followed a pattern the security industry knows well, where third-party code is implicitly trusted, then compromised upstream. We have a framework for that. We just haven't applied it to browser extensions yet. (Spoiler: We do this for software dependencies)
Vulnerabilities & Threats
Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm
Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm
Malware found in @bitwarden/cli v2026.4.0 steals SSH keys, cloud secrets, and AI coding tool credentials, then spreads through victims' own npm packages. Inside: a worm calling itself "Shai-Hulud: The Third Coming."
Malware found in @bitwarden/cli v2026.4.0 steals SSH keys, cloud secrets, and AI coding tool credentials, then spreads through victims' own npm packages. Inside: a worm calling itself "Shai-Hulud: The Third Coming."
Vulnerabilities & Threats
GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays
GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays
A newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers, turning them into relay nodes for LLM traffic.
A newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers, turning them into relay nodes for LLM traffic.
Vulnerabilities & Threats
Roundcube XSS chained with cookie tossing for full inbox access
Roundcube XSS chained with cookie tossing for full inbox access
We found a stored XSS in Roundcube's draft attachment endpoint that, chained with a cookie tossing technique, gives an attacker full access to a victim's inbox. Here's how the exploit chain works and how it was patched
We found a stored XSS in Roundcube's draft attachment endpoint that, chained with a cookie tossing technique, gives an attacker full access to a victim's inbox. Here's how the exploit chain works and how it was patched.
Vulnerabilities & Threats
Introducing Device Protection: Security for Developer Devices
Aikido Device Protection: Security for Developer Devices | Aikido
Supply chain attacks target developer devices. Aikido Device Protection monitors every install across npm, PyPI, VS Code extensions, browser extensions, and AI tools.
Product & Company Updates
Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow
Multiple XSS Vulnerabilities Found in Mailcow, Including Unauthenticated Account Takeover
Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.
Aikido's AI pentesting agents found three XSS vulnerabilities in Mailcow, a widely used self-hosted email server. The most severe allowed unauthenticated attackers to inject a payload into Autodiscover logs that would execute when an admin viewed them, enabling full account takeover. All three have been fixed since version 2026-03b.
Vulnerabilities & Threats
Reliable CVE sources in the age of NIST NVD cutbacks
NIST NVD changes 2026: what security teams need to know
NIST will no longer enrich most CVEs. Here's what changes, what breaks, and what comes next.
News
One year of Opengrep: What we built and what’s next
Opengrep SAST After One Year: Faster, Deterministic Static Analysis
A year after forking Semgrep, Opengrep is faster, supports deeper taint analysis, and produces consistent, reproducible results.
One year after forking Semgrep, Opengrep is faster, more capable, and fully open. Here's what we built and what's next.
Product & Company Updates
Axios CVE-2026-40175: a critical bug that’s… not exploitable
Axios CVE-2026-40175: a critical bug that’s… not exploitable
Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.
Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.
Vulnerabilities & Threats
Bug bounty isn’t dead, but the old model is breaking
Bug bounty isn’t dead, but the old model is breaking
Bug bounty is hitting a breaking point as AI overwhelms programs, pushing a shift toward more sustainable, quality-focused security models.
Bug bounty is hitting a breaking point as AI overwhelms programs, pushing a shift toward more sustainable, quality-focused security models.
Technical
GlassWorm goes native: New Zig dropper infects every IDE on your machine
GlassWorm goes native: New Zig dropper infects every IDE on your machine
GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.
GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.
Vulnerabilities & Threats
Aikido Attack finds multiple 0-days in Hoppscotch
Aikido Attack Finds 0-Days in Hoppscotch
Aikido’s AI pentesting agents discovered multiple high-severity vulnerabilities in Hoppscotch, including account takeover, stored XSS, and access control flaws. All issues are now patched.
Aikido Attack identified three high-severity vulnerabilities in Hoppscotch: an open redirect leading to account takeover, stored XSS, and a broken access control issue allowing cross-team request injection.
Vulnerabilities & Threats
The cybersecurity doomerism around Mythos doesn't match what we see on the ground
Anthropic Mythos Cybersecurity Risks: What 1,000 AI Pentests Actually Show
Anthropic's leaked Mythos model has triggered panic about AI-powered cyberattacks. We ran 1,000 AI penetration tests. The results suggest the threat is more nuanced than the headlines claim.
News
axios compromised on npm: maintainer account hijacked, RAT deployed
axios compromised on npm: maintainer account hijacked, RAT deployed
Malicious axios versions 1.14.1 and 0.30.4 were published via a hijacked maintainer account. A hidden dependency deploys a cross-platform RAT. Check if you are affected and remediate now.
Axios was compromised. Malicious axios versions 1.14.1 and 0.30.4 were published to npm after the lead maintainer's account was hijacked. The injected dependency deploys a cross-platform RAT that self-destructs after execution.
Vulnerabilities & Threats
Popular telnyx package compromised on PyPI by TeamPCP
Popular telnyx package compromised on PyPI by TeamPCP
The popular telnyx packageon PyPI, used by big AI companies, has been compromised by TeamPCP
The popular telnyx packageon PyPI, used by big AI companies, has been compromised by TeamPCP
Vulnerabilities & Threats
Aikido × Lovable: Vibe, Fix, Ship
Lovable Partners with Aikido to Bring Pentesting to Vibe-Coded Apps
Lovable and Aikido bring pentesting into the platform, allowing builders to simulate real-world attacks and fix issues before shipping.
Aikido brings pentesting directly into Lovable. Test your app by simulating real attacks and fix issues before you ship.
Product & Company Updates
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
Vulnerabilities & Threats
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
Vulnerabilities & Threats
Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM
Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM
Frost & Sullivan recognized Aikido with the 2026 Customer Value Leadership Award in ASPM. We break down what the recognition criteria reveal about how the AppSec market is maturing
Frost & Sullivan recognized Aikido with the 2026 Customer Value Leadership Award in ASPM. We break down what the recognition criteria reveal about how the AppSec market is maturing
News
GlassWorm Hides a RAT Inside a Malicious Chrome Extension
GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)
GlassWorm deploys a multi-stage RAT that force-installs a malicious Chrome extension to log keystrokes, steal cookies, and exfiltrate data via Solana-based C2.
GlassWorm deploys a multi-stage RAT that force-installs a malicious Chrome extension to log keystrokes, steal cookies, and exfiltrate data via Solana-based C2.
Vulnerabilities & Threats
Security testing is validating software that no longer exists
Why Pentesting Can’t Keep Up: The Speed Problem in Security Testing
Modern teams ship faster than pentesting can keep up. Explore the growing speed gap in security testing—and why traditional approaches are falling behind.
A CISO at a large enterprise told us the most important security capability today is speed. But what happens when testing can’t keep up with how fast systems change?
Guides & Best Practices
fast-draft Open VSX Extension Compromised by BlokTrooper
fast-draft Open VSX Extension Compromised by BlokTrooper (RAT & Infostealer)
The fast-draft Open VSX extension was compromised to deploy a BlokTrooper RAT and infostealer via GitHub-hosted payloads. Multiple malicious versions identified.
A popular Open VSX extension was compromised and used to deploy a RAT and infostealer from attacker-controlled infrastructure. Its version history tells the real story, with malicious releases appearing between clean ones.
Vulnerabilities & Threats
Glassworm Strikes Popular React Native Phone Number Packages
Glassworm Strikes Popular React Native Phone Number Packages in a New Supply Chain Attack
Aikido Security researchers recovered and decrypted the full payload chain from two malicious React Native packages. Here's what the malware does and what to look for.
Two popular React Native npm packages were backdoored by suspected Glassworm actors and used to deliver multi-stage malware. Here's what the malware does and what to look for.
Vulnerabilities & Threats
Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
Glassworm Returns: Invisible Unicode Malware Found in 150+ GitHub Repositories
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.
Glassworm is back with a new wave of invisible Unicode attacks. We’re tracking a fresh campaign quietly compromising repositories across GitHub, npm, and VS Code.
Vulnerabilities & Threats
Top RSAC 2026 Parties, Side-Events & Security Meetups
RSAC 2026 Parties & Security Events Guide | Aikido
RSAC 2026 Parties & Security Events Guide | Aikido
News
How Security Teams Fight Back Against AI-Powered Hackers
How Security Teams Fight Back Against AI-Powered Hackers
AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.
A single hacker and a Claude subscription just took down nine Mexican government agencies. AI has handed attackers a serious power upgrade. Security teams need a new playbook.
Vulnerabilities & Threats
Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks
Betterleaks: The Gitleaks Successor Built for Faster Secrets Scanning
Betterleaks is a new open source secrets scanner from the creator of Gitleaks. A drop-in replacement with faster scans, token efficiency detection, configurable validation, and more.
The creator of Gitleaks is launching its successor. Betterleaks is a faster open source secrets scanner built to catch more leaks and fit modern developer workflows.
Product & Company Updates
How does AI pentesting work with compliance?
How does AI pentesting work with compliance?
AI pentesting is being accepted for SOC 2, ISO 27001, and HIPAA (with more likely to come). Here's what auditors actually look for, and where the real limitations are.
AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.
Compliance
Trump’s 2026 cybersecurity strategy: From compliance to consequence
Trump’s 2026 Cybersecurity Strategy: From Compliance to Consequence
The Trump administration’s 2026 cybersecurity strategy shifts the focus from compliance checklists to real consequences for cybercriminals. Here’s what CISOs need to know.
News
What continuous pentesting actually requires
Continuous pentesting: how it works and what it requires
Continuous pentesting promises real-time security validation, but most implementations fall short. Here’s what continuous pentesting actually requires—from change-aware testing to exploit validation and remediation loops.
Continuous pentesting is widely discussed, but rarely defined clearly. This piece breaks down what it is, what it isn’t, and what it actually requires.
Guides & Best Practices
Rare Not Random: Using Token Efficiency for Secrets Scanning
Rare Not Random: Using Token Efficiency for Secrets Scanning
Entropy often struggles with generic secrets and short strings. We look at how token efficiency can better identify strings that don’t look like normal text.
Entropy is great at spotting randomness. But secrets aren’t always random. They’re just strings that don’t show up in normal code or text. We explore using BPE tokenization to measure that difference.
Guides & Best Practices
Why Determinism Is Still a Necessity in Security
Why Determinism Is Still a Necessity in Security
AI scanning finds what rules miss. Deterministic scanning finds it every time. Here's why the best security pipelines don't choose between them.
AI-powered security tools are getting better at finding vulnerabilities. But deterministic tools give you the consistency that pipelines, compliance, and audit trails depend on. We look at what deterministic scanning does well, where AI takes over, and how the two work together for effective security.
Engineering
WAF vs. RASP vs. ADR
WAF vs. RASP vs. ADR: How Runtime Application Security Works
WAF, RASP, and ADR protect your app in completely different ways. Here's what each layer actually does, where it falls short, and which ones you need.
WAF, RASP, ADR, eBPF — We're clearing up the terminology around runtime application security. Here's what each layer actually does, how they overlap, and how they fit together
Guides
Introducing Aikido Infinite: A new model of self-securing software
Aikido Infinite: Continuous AI Pentesting for Every Release
Aikido Infinite runs AI penetration testing on every code change, validates exploitability, generates patches, and retests fixes before code hits production, making self-securing software a reality.
Product & Company Updates
Persistent XSS/RCE using WebSockets in Storybook’s dev server
Persistent XSS/RCE using WebSockets in Storybook (CVE-2026-27148)
CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise. Learn the attack path, impact, and how to remediate.
Aikido Attack found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. We walk through how an attacker can exploit this without any user interaction at all, and a developer just has to visit the wrong website while to run into this attack.
Vulnerabilities & Threats
How Aikido secures AI pentesting agents by design
How Aikido Secures AI Pentesting Agents and Prevents Scope Drift
Learn how Aikido secures AI pentesting agents with architectural isolation, runtime scope enforcement, and network-level controls to prevent production drift and data leakage.
AI agents are built to explore. In cybersecurity, that exploration needs strict boundaries. This article explains how Aikido secures AI pentesting agents through architectural isolation, runtime scope enforcement, and layered controls that contain risk by design.
Product & Company Updates
Astro Full-Read SSRF via Host Header Injection
Astro SSRF Vulnerability: Host Header Injection in SSR Error Pages (CVE-2026-25545)
Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. Learn how Host header injection in prerendered error pages allowed full internal network access.
Aikido's AI pentesting agent discovered an SSRF vulnerability in Astro's Node.js adapter. We'll look at how by injecting a malicious Host: header, attackers could redirect an internal request to any URL on the local network.
Vulnerabilities & Threats
How to Get Your Board to Care About Security (Before a Breach Forces the Issue)
How to Get Your Board to Care About Security Before a Breach
Boards don’t fund security because it’s important. They fund defensible decisions. Here’s how to frame risk, reduce ambiguity, and win real support before a breach forces the issue.
Guides
What is Slopsquatting? The AI Package Hallucination Attack Already Happening
Slopsquatting: The AI Package Hallucination Attack Already Happening
AI models hallucinate npm package names. Attackers register them first. Here's what slopsquatting is, how it's spreading through agent skills, and how to protect yourself.
AI models hallucinate package names — and attackers are registering them before anyone notices. Slopsquatting is the AI-era evolution of typosquatting, and unlike its predecessor, npm's existing protections don't work. We look at the real-world research showing it's already happening, from confirmed malicious packages still pulling hundreds of weekly downloads to a hallucinated package name that spread to 237 repositories through AI agent skill files.
Guides & Best Practices
Top 6 Wiz Code Alternatives
Wiz Code Alternatives (2026): 6 Tools Compared and Best Developer-First Option
Looking for Wiz Code alternatives? Compare 6 tools across SAST, DAST, SCA, pricing, and developer experience to find the best AppSec platform for 2026.
This guide compares Wiz Code against six alternatives: Aikido Security, Snyk, Checkmarx, GitHub Advanced Security, Mend, and Veracode, evaluated on coverage, developer experience, AI-powered triage, pricing transparency, and deployment speed. Aikido Security comes out on top for teams wanting a developer-first platform with broad coverage, 85% false positive reduction, AI AutoFix across SAST, IaC and containers, native DAST, and transparent pricing at roughly one-tenth the cost of Wiz.
Guides & Best Practices
Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report
Aikido Named AppSec Platform Leader in Latio 2026 Report
Aikido Security recognized as Platform Leader, AI Pentesting Innovator, and Supply Chain Innovator in Latio Tech’s 2026 AppSec Report.
Latio Tech’s 2026 AppSec Report names Aikido a Platform Leader and AI Innovator. Here’s what the report reveals about the future of application security.
News
From detection to prevention: How Zen stops IDOR vulnerabilities at runtime
From Detection to Prevention: Zen Stops IDOR at Runtime | Aikido
IDOR vulnerabilities are one of the most common causes of cross-tenant data leaks in multi-tenant SaaS. Learn how Zen enforces tenant isolation at runtime by analyzing SQL queries and preventing unsafe access before it ships.
IDOR vulnerabilities are a leading cause of cross-tenant data leaks in multi-tenant applications. In this post, we explain how Zen moves beyond detection and enforces tenant isolation at runtime, making cross-tenant access impossible to ship by accident.
Product & Company Updates
npm backdoor lets hackers hijack gambling outcomes
npm supply chain attack hijacks game backend to rig gambling outcomes
A targeted npm supply chain attack installs an Express backdoor, enables remote SQL/file access, and rewrites gambling balances while keeping logs consistent.
We uncovered malicious npm packages that can modify gambling transactions in production, and keep the database internally consistent afterward.
Vulnerabilities & Threats
Why Trying to Secure OpenClaw is Ridiculous
Why Trying to Secure OpenClaw is Ridiculous
OpenClaw's security issues explained: malware in ClawHub, exposed instances, and why hardening guides miss the point. Can you use the AI agent safely??
News
Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code
Upgrade Impact Analysis: When Breaking Changes Actually Matter | Aikido
Aikido automatically detects breaking changes in dependency upgrades and analyzes your codebase to show real impact, so teams can merge security fixes safely.
Aikido’s Upgrade Impact Analysis flags breaking changes in dependency updates and shows whether those changes actually impact your code.
Product & Company Updates
Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security?
Claude Opus 4.6 Found 500 Vulnerabilities: What It Means for Software Security
Anthropic claims Claude Opus 4.6 uncovered 500+ high-severity vulnerabilities in open source. Here’s what that means for vulnerability discovery, exploitability validation, and production security workflows.
Claude Opus 4.6 reportedly found 500+ high-severity vulnerabilities in open source. This piece examines what that actually changes in production, where LLM reasoning helps, and why validation and reachability still determine real security impact.
News
Introducing Aikido Expansion Packs: Safer defaults inside the IDE
Aikido Expansion Packs: Safer Defaults Inside the IDE
Aikido Expansion Packs add focused security controls directly inside your IDE. Enable secrets protection, supply chain malware checks, and AI-assisted code security without changing developer workflows.
Product & Company Updates
International AI Safety Report 2026: What It Means for Autonomous AI Systems
International AI Safety Report 2026: Aikido Security Analysis
Aikido Security's analysis of the International AI Safety Report 2026. We examine deployment-time controls, validation requirements, and practical safety baselines for autonomous AI systems.
Over 100 experts contributed to the International AI Safety Report 2026, documenting risks from autonomous AI systems and proposing defense-in-depth frameworks. As a team operating AI pentesting systems in production, we break down where the report gets it right and where it needs more technical specificity.
News
Self-Securing Software: What It Is, Why It Matters, and How It Works
What Is Self-Securing Software? A New Security Model for Modern Software
Self-securing software is a security model where systems continuously validate and remediate real risk as they change. Learn why periodic testing no longer scales.
Self-securing software treats security as a built-in system capability, not a periodic process. This article explains why modern software demands a new security model and what makes it possible today.
Product & Company Updates
Secure SDLC for Engineering Teams (+ Checklist)
Secure SDLC Explained: The 5 Pillars of a Secure Software Development Lifecycle
Learn what a Secure SDLC is, why it matters, and the five pillars every team needs. Includes a practical Secure SDLC checklist for CTOs and engineering leaders.
Guides & Best Practices
Top 10 AI Security Tools For 2026
Top 10 AI Security Tools for 2026: Features, Pros, and Comparisons
Explore the top AI security tools for 2026. Compare platforms for AI code review, vulnerability detection, pentesting, and risk management to secure modern applications.
DevSec Tools & Comparisons
Top 10 Cyber Security Tools For 2026
Top 10 Cybersecurity Tools for 2026: Detection, Cloud, XDR & AppSec
A practical breakdown of the top 10 cybersecurity tools for 2026, covering endpoint, cloud, identity, vulnerability management, and XDR. Learn how to choose the right tool for your stack and risk profile.
DevSec Tools & Comparisons
What Is Continuous Pentesting?
What Is Continuous Pentesting? How Modern Teams Reduce Exploitable Risk
Continuous pentesting automatically tests real attack paths every time software changes, validating and fixing issues as part of the development lifecycle. Learn how it compares to AI and manual pentesting.
Continuous pentesting treats security as a living system, not a one-off test. Learn how modern teams use it to reduce exploitable risk as software changes.
Guides & Best Practices
npx Confusion: Packages That Forgot to Claim Their Own Name
npx Confusion: Packages That Forgot to Claim Their Own Name
We claimed 128 unclaimed npm package names that official docs told developers to npx. Seven months later: 121,000 downloads. All would have run arbitrary code.
Official documentation tells developers to run `npx package-name`. But what if nobody claimed that name? We registered 128 of them and watched. 121,000 downloads in seven months. The holiday dip proves they're real developers, not bots.
Vulnerabilities & Threats
Introducing Aikido Package Health: a Better Way to Trust Your Dependencies
Aikido Package Health: Health Score for Open Source Packages
See how stable and well-maintained an open source package really is. Aikido Package Health helps devs choose safer dependencies with confidence.
Product & Company Updates
AI Pentesting: Minimum Safety Requirements for Security Testing
When Is AI Pentesting Safe? Minimum Safety Requirements for Security Testing
AI pentesting systems act autonomously against live environments. Learn when AI pentesting is safe to use, the minimum technical safeguards required, and how to evaluate AI security testing tools responsibly.
AI pentesting is already here, but clear safety expectations are not. This article defines a minimum safety standard for AI pentesting, giving teams a concrete baseline to evaluate emerging tools.
Guides & Best Practices
Fake Clawdbot VS Code Extension Installs ScreenConnect RAT
Fake Clawdbot VS Code Extension Installs ScreenConnect RAT
A malicious VS Code extension impersonating Clawdbot is installing ScreenConnect RAT on developer machines.
A malicious VS Code extension impersonating Clawdbot is installing ScreenConnect RAT on developer machines.
Vulnerabilities & Threats
The Top 7 Threat Intelligence Tools in 2026
Top 7 Threat Intelligence Tools in 2026: Cut Noise and Focus on Real Risk
A deep dive into the top threat intelligence tools of 2026, comparing how they reduce alert fatigue, add context, and help teams prioritize real-world security risks.
DevSec Tools & Comparisons
Top 14 VS Code Extensions for 2026
Top 14 VS Code Extensions for 2026: Productivity, Testing, Security, and Collaboration
A practical guide to the best VS Code extensions for 2026, covering productivity, testing, collaboration, and security tools that improve real-world developer workflows.
DevSec Tools & Comparisons
G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets
G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets
npm package ansi-universal-ui delivers GWagon infostealer targeting 100+ crypto wallets, browser credentials, and cloud keys. We analyzed all 10 versions as the attacker iterated in real-time.
Vulnerabilities & Threats
Pentest GPT: How LLMs Are Reshaping Penetration Testing
Pentest GPT: How AI Is Changing Penetration Testing
Explore how Pentest GPT uses LLMs to automate attack reasoning, simulate real exploits, and scale testing. See how Aikido validates every finding.
DevSec Tools & Comparisons
Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages
Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages
A targeted spear-phishing campaign used npm packages and jsDelivr as free phishing infrastructure, serving custom credential harvesters per victim
Vulnerabilities & Threats
Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT
Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT
Attackers published fake spellchecker packages to PyPI with malware hidden in plain sight. We break down the attack and what developers need to watch for.
Vulnerabilities & Threats
SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel
SvelteSpill: Critical Cache Deception Bug in SvelteKit + Vercel
SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if you’re vulnerable and how to mitigate risk.
Our AI pentesting system discovered and reproduced a high-severity vulnerability in default SvelteKit deployments on Vercel. Here’s how it traced a cross-layer flaw across 150,000 lines of code.
Vulnerabilities & Threats
Agent Skills Are Spreading Hallucinated npx Commands
Agent Skills Are Spreading Hallucinated npx Commands
AI agent skills are propagating hallucinated npx commands, creating real security and reliability risks for developers and supply chains.
Vulnerabilities & Threats
Understanding Open-Source License Risk in Modern Software
Understanding Open-Source License Risk in Modern Software
Open-source license risk hides in dependencies and container images. Learn what it is, why it matters, and how to catch issues early.
Open source moves fast, but its licenses still have rules. This piece breaks down what open-source license risk is, why teams keep missing it in modern dependency trees, and how to stay compliant without turning it into a legal fire drill.
Guides & Best Practices
The CISO Vibe Coding Checklist for Security
CISO Vibe Coding Checklist: Securing AI-Built Apps
A practical security checklist for CISOs managing AI and vibe-coded applications. Covers technical guardrails, AI controls, and organizational policies.
AI-powered vibe coding lets anyone ship software. This post outlines the security risks CISOs are facing and introduces a practical checklist, informed by CISOs at Lovable and Supabase.
Guides & Best Practices
From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B
Aikido Security Raises $60M at a $1B valuation
Aikido announces $60M Series B funding at a $1B valuation, accelerating its vision for self-securing software and continuous penetration testing.
Aikido becomes one of the fastest cybersecurity companies to reach unicorn status globally, and the fastest ever in Europe.
Product & Company Updates
Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858)
n8n Critical Vulnerability (CVE-2026-21858) | Unauthenticated RCE Explained
A critical vulnerability in n8n (CVE-2026-21858) allows unauthenticated remote code execution on self-hosted instances. Learn who is affected and how to remediate.
Vulnerabilities & Threats
AI-Driven Pentesting of Coolify: Seven CVEs Identified
Seven CVEs in Coolify Identified Through AI Pentesting | Aikido
AI-driven pentesting of Coolify identified seven CVEs, including privilege escalation and remote code execution vulnerabilities. Findings were responsibly disclosed and fixed.
Aikido
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
April 14, 2026
Vulnerabilities & Threats

Axios CVE-2026-40175: a critical bug that’s… not exploitable

Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.

Tags/
No items found.
April 13, 2026
Technical

Bug bounty isn’t dead, but the old model is breaking

Bug bounty is hitting a breaking point as AI overwhelms programs, pushing a shift toward more sustainable, quality-focused security models.

Tags/

#AI

#AI Penetration Testing

#Tools

#Vulnerabilities

April 8, 2026
Vulnerabilities & Threats

Aikido Attack finds multiple 0-days in Hoppscotch

Aikido Attack identified three high-severity vulnerabilities in Hoppscotch: an open redirect leading to account takeover, stored XSS, and a broken access control issue allowing cross-team request injection.

Tags/

#Malware

#AI Penetration Testing

#open-source

March 18, 2026
Vulnerabilities & Threats

fast-draft Open VSX Extension Compromised by BlokTrooper

A popular Open VSX extension was compromised and used to deploy a RAT and infostealer from attacker-controlled infrastructure. Its version history tells the real story, with malicious releases appearing between clean ones.

Tags/

#Malware

#open-source

March 16, 2026
Vulnerabilities & Threats

Glassworm Strikes Popular React Native Phone Number Packages

Two popular React Native npm packages were backdoored by suspected Glassworm actors and used to deliver multi-stage malware. Here's what the malware does and what to look for.

Tags/

#Malware

#NPM

March 12, 2026
Vulnerabilities & Threats

How Security Teams Fight Back Against AI-Powered Hackers

A single hacker and a Claude subscription just took down nine Mexican government agencies. AI has handed attackers a serious power upgrade. Security teams need a new playbook.

Tags/

#AI

#Continuous Pentesting

#Self-securing Software

March 9, 2026
News

Trump’s 2026 cybersecurity strategy: From compliance to consequence

Tags/

#Compliance

March 9, 2026
Compliance

How does AI pentesting work with compliance?

AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.

Tags/

#AI Penetration Testing

#Pentesting

March 3, 2026
Vulnerabilities & Threats

Persistent XSS/RCE using WebSockets in Storybook’s dev server

Aikido Attack found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. We walk through how an attacker can exploit this without any user interaction at all, and a developer just has to visit the wrong website while to run into this attack.

Tags/

#Vulnerabilities

#open-source

#Pentesting

March 3, 2026
Engineering

Why Determinism Is Still a Necessity in Security

AI-powered security tools are getting better at finding vulnerabilities. But deterministic tools give you the consistency that pipelines, compliance, and audit trails depend on. We look at what deterministic scanning does well, where AI takes over, and how the two work together for effective security.

Tags/

#SAST

#Tools

February 23, 2026
Guides

How to Get Your Board to Care About Security (Before a Breach Forces the Issue)

Tags/

#Article

February 20, 2026
Guides & Best Practices

What is Slopsquatting? The AI Package Hallucination Attack Already Happening

AI models hallucinate package names — and attackers are registering them before anyone notices. Slopsquatting is the AI-era evolution of typosquatting, and unlike its predecessor, npm's existing protections don't work. We look at the real-world research showing it's already happening, from confirmed malicious packages still pulling hundreds of weekly downloads to a hallucinated package name that spread to 237 repositories through AI agent skill files.

Tags/

#Vulnerabilities

#Dependencies

#NPM

Product & Company Updates
See all
See all
May 12, 2026
Product & Company Updates

One year of Opengrep: What we built and what’s next

A year after forking Semgrep, Opengrep is faster, supports deeper taint analysis, and produces consistent, reproducible results.

#
SAST
#
open-source
April 30, 2026
Product & Company Updates

Aikido integrates with AWS Kiro: Catching in review doesn't scale anymore

AI agents writing your code. Aikido integrates directly into AWS Kiro's agentic workflow to keep security in the loop, automatically, from the first line. Aikido is AWS's first global security partner for Kiro.

#
Announcements
March 24, 2026
Product & Company Updates

Aikido × Lovable: Vibe, Fix, Ship

Lovable and Aikido bring pentesting into the platform, allowing builders to simulate real-world attacks and fix issues before shipping.

#
Announcements
#
AI Penetration Testing
Vulnerabilities & Threats
See all
See all
May 21, 2026
Vulnerabilities & Threats

Google API keys keep working after you delete them

Deleting a Google API key doesn't revoke it immediately. Our testing found successful authentications up to 23 minutes after deletion, and Google has declined to fix it.

#
AppSec
#
Vulnerabilities
May 20, 2026
Vulnerabilities & Threats

The Wild West of VS Code extensions and how a poisoned extension breached GitHub

A poisoned VS Code extension breached GitHub yesterday, one day after Nx Console (2.2M installs) was compromised for 18 minutes on the Visual Studio Marketplace and reached every user with auto-update on.

#
VS Code
#
Software Supply Chain Security
#
Aikido Endpoint
May 19, 2026
Vulnerabilities & Threats

Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!

Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systems

DevSec Tools & Comparisons
See all
See all
August 19, 2025
DevSec Tools & Comparisons

Top 12 Dynamic Application Security Testing (DAST) Tools in 2026

Discover the 12 top best Dynamic Application Security Testing (DAST) tools in 2026. Compare features, pros, cons, and integrations to choose the right DAST solution for your DevSecOps pipeline.

#
Tools
#
DAST
July 18, 2025
DevSec Tools & Comparisons

Top 13 Container Scanning Tools in 2026

Discover the best 13 Container Scanning tools in 2026. Compare features, pros, cons, and integrations to choose the right solution for your DevSecOps pipeline.

#
Tools
#
Container Scanning
July 17, 2025
DevSec Tools & Comparisons

Top 10 Software Composition Analysis (SCA) tools in 2026

SCA tools are our best line of defense for open-source security, this article explores the top 10 open-source dependency scanners for 2026

#
Tools
#
SCA
Guides & Best Practices
See all
See all
April 30, 2026
Guides & Best Practices

A practical CTO security checklist to be Mythos-ready

A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.

#
AI
#
Self-securing Software
#
Announcements
March 19, 2026
Guides & Best Practices

Security testing is validating software that no longer exists

Modern teams ship faster than pentesting can keep up. Explore the growing speed gap in security testing—and why traditional approaches are falling behind.

#
AI Penetration Testing
#
Continuous Pentesting
#
Pentesting
March 6, 2026
Guides & Best Practices

What continuous pentesting actually requires

Continuous pentesting promises real-time security validation, but most implementations fall short. Here’s what continuous pentesting actually requires—from change-aware testing to exploit validation and remediation loops.

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

Start Scanning
No CC required
Book a demo
No credit card required | Scan results in 32secs.