
.avif)
Software Supply Chain Security News
Stay up to date with the latest software supply chain security incidents, including malicious packages, dependency attacks, and real-world breaches. We break down what happened, why it matters, and what developers should fix to stay ahead.

Multiple JetBrains IDE plugins caught stealing AI keys
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.

Compromised Rust crate onering performs code exfiltration
The compromised onering Rust crate v1.4.1 on crates.io shipped a malicious build.rs that exfiltrates the diff of your latest commit to a hosted Sentry endpoint every time you build.
.jpg)
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It
MongoBleed, tracked as CVE-2025-14847, allows unauthenticated memory disclosure in MongoDB via zlib compression. See impact and remediation.
First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson
We uncovered the first sophisticated malware campaign on Maven Central: a typosquatted Jackson package delivering multi-stage payloads and Cobalt Strike beacons via Spring Boot auto-execution.
The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security
A deep dive into a GitHub security flaw where forked commits let attackers spoof dependencies. Understand the commit SHA issue and why package managers need API-level protection.
React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell
CVE-2025-55184 is a React Server Components DoS flaw related to React2Shell. Learn who’s affected, how it works, and how to fully patch it.
PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents
AI-driven GitHub Actions expose new prompt-injection supply chain vulnerabilities.
Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now
Learn how CVE-2025-55182 and the related Next.js RCE affect React Server Components. See impact, affected versions, and how to fix. Aikido now detects both issues.
Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame
New research into the Shai Hulud 2.0 malware suggests the username UnknownWonderer1 tells us more about the attackers’ endgame.
Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities
Shai Hulud threat actors are leveraging GitHub Actions vulnerabilities in an ongoing exploitation campaign. Discover the impact and recommended security measures.
Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised
The threat actor behind “Shai Hulud 2.0” launched a new malware campaign compromising the supply chain of Zapier, ENS Domains and more — exposing secrets, injecting malicious code, and enabling widespread developer-environment takeover.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

