
.avif)
Welcome to our blog.
.jpg)
Aikido acquires Root to secure the supply chain
Aikido has acquired Root to secure the software supply chain, fixing open source vulnerabilities in the version you already run, no upgrade required. Critical fixes go back to the community, free.

Packagist is now protected by Aikido Intel and other updates to the PHP registry
Aikido's malware feed now blocks flagged package versions in Composer by default, for everyone installing from Packagist.org, with nothing to switch on. Over the past year Packagist and Composer have been closing whole classes of supply chain attack at the registry level. Here's what they shipped, and why every registry should be working this way.
2026 State of AI in Pentesting
Our latest report captures the perspectives of 400 CISOs, CTOs, and senior engineering leaders across Europe and the US. It explores how AI is changing penetration testing, why traditional approaches are struggling to keep pace with modern software delivery, and what security leaders want from the next generation of penetration testing.

Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
Aikido x Docker: less noise, more signal in your containers
Scan Docker Hardened Images in Aikido with automatic VEX filtering for non-exploitable CVEs.
Code is being written everywhere, and the device is the only constant
Developers are coding everywhere. AI agents, Slack bots, and MCP servers have made the developer device the biggest security blindspot.
SBOMs in 2026: Everyone's generating them, no one's using them
ENISA's 2026 SBOM adoption report covers 334 organizations and surfaces a consistent gap between generating SBOMs and actually using them. Here is what stood out.
Why EDR and proxy won’t save you from supply chain malware
EDR and proxies weren't built for supply chain malware. When malicious code arrives through npm install, it looks like normal behavior. Here's why that matters.
What MDM can't protect on developer machines (and what to do about it)
Most security teams have MDM deployed. The problem is that npm installs, VS Code extensions, and AI coding tools happen completely outside MDM's view. Here's what's actually unprotected and how to close the gap.
Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens
A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.
Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer
Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.
Shadow AI is a fear response, and banning it makes it worse
Shadow AI is a fear response. Employees are hiding the tools they use because they're correctly reading a job market that demands AI skills. Here's why banning makes it worse, and what to do instead.
Rolling out developer security in a 5,000+ engineer organization
Most developer security rollouts fail because they're designed like software deployments, not cultural changes. Here's the phased model experienced CISOs converge on to fix that.
Aikido acquires Root to secure the supply chain
Aikido has acquired Root to secure the software supply chain, fixing open source vulnerabilities in the version you already run, no upgrade required. Critical fixes go back to the community, free.
Multiple JetBrains IDE plugins caught stealing AI keys
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
5 Socket security alternatives and why they are better
Socket built its name on malware detection. But detection speed alone is no longer the whole story. Here's how Aikido and four other alternatives compare on supply chain security, reachability analysis, licensing, and more.
A practical CTO security checklist to be Mythos-ready
A practical checklist for SaaS CTOs navigating a world with Mythos and agentic AI threats. Built around the defender's advantage: you have context attackers have to work to get. Covers the controls, practices, and operational habits that determine whether your team finds and fixes issues before someone else does.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.


