Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

TL;DR: Aikido now supports Docker Hardened Images. A scan that used to return hundreds of CVEs collapses to the handful that actually apply, because Docker's VEX attestations filter out everything they've verified as non-exploitable. Zero additional setup. Container security has a noise problem You scan a container image and get back a list of 50, 100, sometimes hundreds of CVEs. You open a few. Some look scary. Most are irrelevant. Some have already been patched by the image maintainer.

npm's next major release, v12, scheduled to land July 2026, will stop running dependency install scripts by default. We’re relieved to hear it. Turning off install scripts is the most useful change npm could make to its defaults. The community suffered a barrage of supply chain attacks in the last year, like Nx s1ngularity and Shai-Hulud, that exploited postinstall scripts. This npm update is a long-awaited change that will shrink a huge supply chain attack vector.

ENISA just published its SBOM Adoption State of Play 2026, based on a survey of 334 organizations (65% EU-based, 80% directly impacted by the Cyber Resilience Act (CRA)). It is the clearest snapshot yet of where the industry stands on software supply chain transparency, and the picture is more nuanced than "everyone's on board." Here's what stood out.

This post is based on Mackenzie's conversation with James Hawkins on The Secure Disclosure podcast. Listen to the full episode or watch below. PostHog's engineering team is merging roughly as many pull requests through Slack as through their code editor. As James Hawkins, co-founder and co-CEO of PostHog, explains on the podcast, the shift towards dispersed coding interfaces is underway. "Why are code editors all desktop apps right now? That's a relic of the past.

Most security teams check the EDR box, check the proxy box, and move on. Against supply chain malware, neither provides meaningful protection because they were built for a different problem. Traditional malware has a way of sneaking onto a machine, whereas supply chain malware gets invited. The developer runs npm install, and the malicious code lands with full permission to execute. That inversion breaks both tools at the design level. ‍

Mythos doesn’t need to be treated as the biggest and baddest in the room. Don’t get me wrong. Depending on the benchmark you’re evaluating against, Mythos is among the top models available today, and generally the best at reasoning. But it’s not leaps and bounds ahead of the race. And when it comes to practical use cases, throwing a general model, even a cutting-edge frontier model, at a problem doesn’t get the best results. Nor is it scalable or cost-effective.