Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The KhangNghiem/fast-draft extension, listed on open-vsx.org/extension/KhangNghiem/fast-draft and now sitting above 26,000 downloads, had multiple malicious releases that execute a GitHub-hosted downloader and pull a second-stage RAT and infostealer from the BlokTrooper/extension repository. The confirmed malicious releases in the version line we inspected are 0.10.89, 0.10.105, 0.10.106, and 0.10.112.

On March 16, 2026, two React Native npm packages from the AstrOOnauta were backdoored in a coordinated supply chain attack. Both releases added an identical install-time loader that fetches and executes a multi-stage Windows credential and crypto stealer, triggered by nothing more than a routine npm install. The affected packages are react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8.

Last month, the Mexican government was hacked. 150GB of government data was stolen, including 195 million taxpayer records. This attack exploited a couple of dozen vulnerabilities across ten institutions. In the past, this would have likely taken a skilled team months to crack. But of course, we’re living in a new age. This attack was executed by one person and their Claude Code assistant.

AI pentesting has been making waves and rivals the power of human hackers in ways we weren’t expecting. But frequently, companies are looking for pentesting to achieve and support their compliance certifications.

Aikido Attack, our AI pentest product, found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. Storybook's WebSocket server has no authentication or access control, so if the dev server is publicly accessible, an attacker can exploit this without any user interaction at all. In the more common local setup, a developer just has to visit the wrong website while Storybook is running.

Deterministic security tools, at this point, have become such a regular part of security that, for a long time, we weren’t questioning the alternatives. With AI becoming a core component of security with probabilistic models, it’s time to revisit determinism and get clear about what it’s needed for. Otherwise, why shouldn’t we just start replacing everything with AI?

In Regex is (almost) All You Need, we learned that using a combination of regular expression patterns, entropy, and rule-based filters are an effective way to detect candidate secrets. Regex is used for casting a wide net to identify candidates. Entropy is used as a primary filter on the captured candidates and additional filters like presence of commonly used english words, or filtering on known “safe” files like go.sum are applied last.