Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The latest News and Information on Application Security including monitoring, testing, and open source.

Benchmarking 13 AI models on rediscovering known CVEs

TL;DR Every frontier model launch now comes with the same cybersecurity claim: it finds vulnerabilities. But does it work on a real bug in a real repository, or just on a curated example? Of the dozen models you could pick, which is worth trusting with code review? And since the strongest models cost ten times or more per run than the cheapest, what does that extra spend actually buy you in bugs found?

How Aikido Intel detects malware and vulnerabilities first

TL;DR: Aikido Intel is a real-time supply chain intelligence feed. It detects both malware and vulnerabilities in open-source ecosystems. Aikido's world-class researchers maintain our LLM-powered pipeline to find malware and validate the most malicious cases by hand. The vulnerability detection system monitors package changes across ecosystems to catch and document vulnerabilities that don’t have CVEs assigned.

The practical checklist for defending against supply chain attacks

Supply chain attacks are having a moment. Open-source malware detections jumped 73% in 2025. In the past year, the debug and chalk packages were backdoored, the tj-actions GitHub Action was compromised and pulled malicious code into thousands of pipelines, and the axios maintainer account was hijacked and used to distribute a RAT. Malicious releases also hit Zapier, ENS Domains, PostHog, and Bitwarden CLI. Every one of these attacks was preventable with controls that were available at the time.

How to maintain code quality standards with AI code and vibe coding

It’s amazing how non-developers have recently been empowered to create their own apps that can even generate revenue. We’ve recently seen progress across the AI development field, from AI being successful in “greenfield code” (apps built from scratch) towards “brownfield code” (larger scale existing applications).

AI Pentesting Buyer's Guide: How to evaluate AI pentesting vendors

Pentesting made sense when releases happened every few months. A point-in-time assessment could provide an accurate picture of risk for weeks, sometimes months. Today, engineering teams ship continuously. Our State of AI in Pentesting survey of 200 CISOs and 200 engineering leaders, found that 76% deploy significant changes at least weekly, while nearly 40% deploy daily. Yet only 21% validate security on every release. That gap has consequences.

Compromised @injectivelabs/sdk-ts exfiltrates wallet keys through fake telemetry

A malicious release of @injectivelabs/sdk-ts, an npm package that pulls around 50,000 weekly downloads, shipped code that records wallet mnemonics and private keys as they are derived and ships them to an attacker-controlled endpoint. The bad version, 1.20.21, was live on npm for under an hour on June 8, 2026 before the maintainer noticed and published a clean fix.

Why Project Glasswing Changes the Rules of AppSec

The old application security playbook is broken. With Anthropic’s Claude Mythos and the release of Project Glasswing, AI agents can now autonomously chain low-severity bugs into working zero-day exploits, collapsing the time between vulnerability discovery and active exploitation. In this video, Mend.io's Saoirse Hinksmon (Head of Product Marketing) and Daniel Wyrzykowski (Product Manager) break down the structural shifts in the threat landscape and what security teams must do to keep pace.

Insignary Closes SBOM Accuracy Gap With Binary-Level Clarity for Regulatory Risk

Most software composition analysis tools read what developers declare. Insignary Clarity's patented binary-first platform analyzes what is actually built, shipped, and deployed - including the open-source components that never appear in any manifest.

Predicting MongoDB ObjectId continuously in Rocket.Chat

Applications using MongoDB have a common pitfall of treating the ObjectId() function as cryptographically secure. Recently, we found Rocket.Chat, an open source Slack-like application, to be a victim of this. At Aikido, we run AI Pentests on various open source applications to test our agents and identify their strengths and improvement points. During the pentest, one of the agents reported that an unauthenticated Rocket.Chat user can access any uploaded file if they know its ID.