Ghent, Belgium
2022
  |  By Dania Durnas
Last week, GitHub released self-service credential revocation for Enterprise. The feature lets organization owners cut off compromised credentials across the entire organization in one action instead of trying to track down individual tokens during an active incident. This fix was a long time coming, as the past few months have shown what happens when revocation is slow or incomplete.
  |  By Dania Durnas
npm shipped a new protection this week for its most depended-on accounts. When npm detects a sensitive action on a high-impact account, like an email swap or the use of a 2FA recovery code, it puts that account into a 72-hour read-only state and sends an alert to the previous email address. The package installs and downloads keep working as normal during this time, and the freeze lifts automatically at the end of the waiting period.
  |  By Hunter Schwartz
On Jun 24, 2026, the codfish/semantic-release-action GitHub Action was compromised through an imposter commit attack. An attacker force-pushed two malicious commits into the repository and repointed sixteen tags to them, including the floating major version tags v2, v3, v4, and v5. Any workflow referencing the action by one of those tags will pull and run the attacker's code on its next CI run.
  |  By Dania Durnas
Maintainers, this is for you. We're partnering with Drydock so maintainers can see exactly what's inside a package before they approve it, catching malware before it ships instead of disclosing it after. Drydock lets you read the actual bytes of a staged release before it goes live, so bad versions get caught at approval rather than in a post-mortem. For npm and PyPI maintainers, Drydock is available at no cost.
  |  By Ilyas Makari
On June 17th we detected a large-scale supply chain attack targeting the entire @mastra npm scope, a popular open-source AI agent framework. An attacker republished 141 packages in a burst between 01:15 and 02:00 UTC, silently injecting a malicious dependency into every one of them. The affected packages include @mastra/core, which has 918K weekly npm downloads, as well as mastra and create-mastra.
  |  By Mike Wilkes
This week bore witness to some interesting events and milestones as Anthropic announced the availability of Claude Fable 5, a descendant of their Mythos Preview model, and Microsoft published their largest Patch Tuesday in history with over 200 vulnerabilities. The two are not unrelated.
  |  By Trusha Sharma
TL;DR: Aikido now supports Docker Hardened Images. A scan that used to return hundreds of CVEs collapses to the handful that actually apply, because Docker's VEX attestations filter out everything they've verified as non-exploitable. Zero additional setup. Container security has a noise problem You scan a container image and get back a list of 50, 100, sometimes hundreds of CVEs. You open a few. Some look scary. Most are irrelevant. Some have already been patched by the image maintainer.
  |  By Dania Durnas
npm's next major release, v12, scheduled to land July 2026, will stop running dependency install scripts by default. We’re relieved to hear it. Turning off install scripts is the most useful change npm could make to its defaults. The community suffered a barrage of supply chain attacks in the last year, like Nx s1ngularity and Shai-Hulud, that exploited postinstall scripts. This npm update is a long-awaited change that will shrink a huge supply chain attack vector.
  |  By Nicholas Thomson
This post is based on Mackenzie's conversation with James Hawkins on The Secure Disclosure podcast. Listen to the full episode or watch below. PostHog's engineering team is merging roughly as many pull requests through Slack as through their code editor. As James Hawkins, co-founder and co-CEO of PostHog, explains on the podcast, the shift towards dispersed coding interfaces is underway. "Why are code editors all desktop apps right now? That's a relic of the past.
  |  By Jens Gellynck
ENISA just published its SBOM Adoption State of Play 2026, based on a survey of 334 organizations (65% EU-based, 80% directly impacted by the Cyber Resilience Act (CRA)). It is the clearest snapshot yet of where the industry stands on software supply chain transparency, and the picture is more nuanced than "everyone's on board." Here's what stood out.

Aikido Security is an automated application security platform designed specifically for software engineering teams.

We secure your entire stack - code, open-source dependencies, infrastructure, and more and integrate into your existing workflows to provide visibility and control across your entire application infrastructure.

Our goal is to simplify security for developers through features like auto-triage of vulnerabilities, tied to whether the vulnerable code is actually used. This cuts through the noise, enabling engineering teams to focus on what matters most. Trusted by leading technology companies and validated by security experts, Aikido is the easiest way to implement application security monitoring and achieve compliance with regulations like ISO & SOC2.

We focus on the developer experience, allowing engineering teams to fix critical problems without security getting in the way of building.

The only platform that satisfies all code & cloud security needs for scaling dev teams.