
.avif)
Welcome to our blog.
.jpg)
Aikido acquires Root to secure the supply chain
Aikido has acquired Root to secure the software supply chain, fixing open source vulnerabilities in the version you already run, no upgrade required. Critical fixes go back to the community, free.

Packagist is now protected by Aikido Intel and other updates to the PHP registry
Aikido's malware feed now blocks flagged package versions in Composer by default, for everyone installing from Packagist.org, with nothing to switch on. Over the past year Packagist and Composer have been closing whole classes of supply chain attack at the registry level. Here's what they shipped, and why every registry should be working this way.
2026 State of AI in Pentesting
Our latest report captures the perspectives of 400 CISOs, CTOs, and senior engineering leaders across Europe and the US. It explores how AI is changing penetration testing, why traditional approaches are struggling to keep pace with modern software delivery, and what security leaders want from the next generation of penetration testing.

Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
Predicting MongoDB ObjectId() continuously in Rocket.Chat
Aikido's AI pentester found this file-access flaw in Rocket.Chat. A closer look at MongoDB's ObjectId() showed the weak randomness that makes it exploitable.
Authentication Bypass in the default configuration phpBB
Our AI pentest agents found a critical phpBB auth bypass (CVE-2026-48611): one unauthenticated request logs you into any account. See the exploit and the fix.
AI Pentesting for Compliance
Learn which compliance frameworks accept AI pentesting, and which still require a human pentester.
And another one. GitHub ships break-glass credential revocation
GitHub Enterprise can now revoke all of an account's credentials in one action. The Trivy attack and Microsoft's own durabletask compromise demonstrate why this was a long time coming.
npm now freezes high-impact accounts after risky account changes
A look at npm's new 72-hour account freeze, what triggers it, what it blocks, and how it works alongside trusted and staged publishing.
Everybody's shipping code they can't read
With AI, everyone's a developer now, and a lot of code gets shipped without a careful review from trained eyes.
Compromised GitHub action codfish/semantic-release-action steals CI/CD secrets
codfish/semantic-release-action was compromised on June 24, 2026. Attackers repointed v2–v5 tags to a Miasma credential-stealing payload targeting CI/CD secrets. Here's what happened and how to check if you're affected.
Aikido x Drydock | A way for maintainers to catch malware before it ships
Aikido is partnering with Drydock so npm and PyPI maintainers can see exactly what's inside a release before it goes live. Catch malware before it ships, not after.
Aikido x OWASP: 200 free credits for individual members
OWASP individual members get 200 free Aikido credits to run Code Audit. Here is how to claim yours in two steps.
Over 140 popular Mastra npm Packages Hit by Supply Chain Attack
141 Mastra npm packages were compromised in a supply chain attack that injected a malicious dependency to silently download and execute a payload at install time.
Aikido acquires Root to secure the supply chain
Aikido has acquired Root to secure the software supply chain, fixing open source vulnerabilities in the version you already run, no upgrade required. Critical fixes go back to the community, free.
Multiple JetBrains IDE plugins caught stealing AI keys
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
5 Socket security alternatives and why they are better
Socket built its name on malware detection. But detection speed alone is no longer the whole story. Here's how Aikido and four other alternatives compare on supply chain security, reachability analysis, licensing, and more.
A practical CTO security checklist to be Mythos-ready
A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.


