|
By Raphael Silva
A new npm supply-chain compromise is targeting the SAP developer ecosystem. The affected packages we are tracking so far are: The pattern is familiar but also a bit different: a trusted package receives a new preinstall hook, the hook runs a new setup.mjs file, and that loader downloads the Bun JavaScript runtime to execute a large obfuscated payload named execution.js. The payload is an 11.7 MB credential stealer and propagation framework.
|
By Ilyas Makari
Version 2026.4.0 of the widely-used @bitwarden/cli npm package (78,000 weekly downloads) has been identified as malicious. The package contains a sophisticated multi-stage credential theft worm that explicitly names itself "Shai-Hulud: The Third Coming", a direct callback to previous Shai-Hulud supply chain campaigns, and targets developer credentials including SSH keys, cloud secrets, and even MCP configuration files.
|
By Jorian Woltjer
Mailcow is a widely used self-hosted and open source email server that hosts everything you'd need to manage mailboxes yourself. To assess its security, we set up a local instance and ran our AI pentesting agents against it. We found three XSS vulnerabilities, including a critical vulnerability that allowed unauthenticated attackers to take over administrator accounts while looking at their logs in the UI. Gaining access to a mailbox can have a serious security impact.
|
By Mackenzie Jackson
It’s been a chaotic few weeks for Axios. First, a major supply chain attack put the package under scrutiny. Then, just days later, headlines started appearing about a “critical 10/10 vulnerability” that could lead to full cloud compromise. If you’ve read the coverage, you’ve probably seen claims like: That sounds bad. But when you look closely at how this vulnerability actually behaves in real environments, the story changes.
|
By Mackenzie Jackson
Bug bounty has been a very hot topic lately. We’re seeing high-profile programs go offline or fundamentally change: the IBB (one of the most important programs for open-source programs) is pausing submissions, curl is removing payouts and Node.js is removing its bounty entirely. That’s not noise, that's signal.
|
By Robbe Verwilghen
Hoppscotch is an open-source API development ecosystem, similar to Postman, with over 100,000 monthly users. Two weeks ago, we set up a self-hosted instance and ran our AI pentest agents against it. They found two high-severity vulnerabilities and one medium-severity vulnerability, all present in versions up to and including 2026.2.1, and all patched in 2026.3.0: All three were responsibly disclosed and have been resolved. Note: We accidentally grouped the XSS and an Access Control issue into one report.
|
By Raphael Silva
The KhangNghiem/fast-draft extension, listed on open-vsx.org/extension/KhangNghiem/fast-draft and now sitting above 26,000 downloads, had multiple malicious releases that execute a GitHub-hosted downloader and pull a second-stage RAT and infostealer from the BlokTrooper/extension repository. The confirmed malicious releases in the version line we inspected are 0.10.89, 0.10.105, 0.10.106, and 0.10.112.
|
By Raphael Silva
On March 16, 2026, two React Native npm packages from the AstrOOnauta were backdoored in a coordinated supply chain attack. Both releases added an identical install-time loader that fetches and executes a multi-stage Windows credential and crypto stealer, triggered by nothing more than a routine npm install. The affected packages are react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8.
|
By Dania Durnas
Last month, the Mexican government was hacked. 150GB of government data was stolen, including 195 million taxpayer records. This attack exploited a couple of dozen vulnerabilities across ten institutions. In the past, this would have likely taken a skilled team months to crack. But of course, we’re living in a new age. This attack was executed by one person and their Claude Code assistant.
|
By Dania Durnas
AI pentesting has been making waves and rivals the power of human hackers in ways we weren’t expecting. But frequently, companies are looking for pentesting to achieve and support their compliance certifications.
- April 2026 (6)
- March 2026 (7)
- February 2026 (8)
- January 2026 (3)
- December 2025 (4)
- November 2025 (5)
- October 2025 (2)
- September 2025 (7)
- August 2025 (3)
- July 2025 (3)
- June 2025 (5)
- May 2025 (9)
- April 2025 (3)
- March 2025 (5)
- February 2025 (1)
- January 2025 (5)
- December 2024 (5)
- November 2024 (6)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (5)
- May 2024 (3)
- April 2024 (1)
- March 2024 (1)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (4)
- October 2023 (1)
Aikido Security is an automated application security platform designed specifically for software engineering teams.
We secure your entire stack - code, open-source dependencies, infrastructure, and more and integrate into your existing workflows to provide visibility and control across your entire application infrastructure.
Our goal is to simplify security for developers through features like auto-triage of vulnerabilities, tied to whether the vulnerable code is actually used. This cuts through the noise, enabling engineering teams to focus on what matters most. Trusted by leading technology companies and validated by security experts, Aikido is the easiest way to implement application security monitoring and achieve compliance with regulations like ISO & SOC2.
We focus on the developer experience, allowing engineering teams to fix critical problems without security getting in the way of building.
The only platform that satisfies all code & cloud security needs for scaling dev teams.