Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On March 16, 2026, two React Native npm packages from the AstrOOnauta were backdoored in a coordinated supply chain attack. Both releases added an identical install-time loader that fetches and executes a multi-stage Windows credential and crypto stealer, triggered by nothing more than a routine npm install. The affected packages are react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8.

Last month, the Mexican government was hacked. 150GB of government data was stolen, including 195 million taxpayer records. This attack exploited a couple of dozen vulnerabilities across ten institutions. In the past, this would have likely taken a skilled team months to crack. But of course, we’re living in a new age. This attack was executed by one person and their Claude Code assistant.

As the software development lifecycle continues to evolve, the rise of AI is introducing both unprecedented productivity and unprecedented risk. In a recent webinar hosted by JFrog, Jens Eckels sat down with Forrester Senior Analyst Janet Worthington to discuss the state of application security (AppSec), the explosive growth of agentic software development, and why consolidating security tools is no longer a luxury, but a necessity.

AI pentesting has been making waves and rivals the power of human hackers in ways we weren’t expecting. But frequently, companies are looking for pentesting to achieve and support their compliance certifications.

For many engineering teams, CI/CD security appears to be working. Static scans run automatically. Vulnerabilities are flagged. Security checks exist somewhere in the pipeline. Yet issues still surface after release. The reason is rarely the absence of tools. More often, it is the absence of structural enforcement across the build lifecycle. Security controls run inside the pipeline, but they do not always guarantee that the artifact being tested is the same artifact that ultimately reaches users.

In Regex is (almost) All You Need, we learned that using a combination of regular expression patterns, entropy, and rule-based filters are an effective way to detect candidate secrets. Regex is used for casting a wide net to identify candidates. Entropy is used as a primary filter on the captured candidates and additional filters like presence of commonly used english words, or filtering on known “safe” files like go.sum are applied last.

Aikido Attack, our AI pentest product, found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. Storybook's WebSocket server has no authentication or access control, so if the dev server is publicly accessible, an attacker can exploit this without any user interaction at all. In the more common local setup, a developer just has to visit the wrong website while Storybook is running.

Deterministic security tools, at this point, have become such a regular part of security that, for a long time, we weren’t questioning the alternatives. With AI becoming a core component of security with probabilistic models, it’s time to revisit determinism and get clear about what it’s needed for. Otherwise, why shouldn’t we just start replacing everything with AI?