|
By Trusha Sharma
TL;DR: Aikido now supports Docker Hardened Images. A scan that used to return hundreds of CVEs collapses to the handful that actually apply, because Docker's VEX attestations filter out everything they've verified as non-exploitable. Zero additional setup. Container security has a noise problem You scan a container image and get back a list of 50, 100, sometimes hundreds of CVEs. You open a few. Some look scary. Most are irrelevant. Some have already been patched by the image maintainer.
|
By Dania Durnas
npm's next major release, v12, scheduled to land July 2026, will stop running dependency install scripts by default. We’re relieved to hear it. Turning off install scripts is the most useful change npm could make to its defaults. The community suffered a barrage of supply chain attacks in the last year, like Nx s1ngularity and Shai-Hulud, that exploited postinstall scripts. This npm update is a long-awaited change that will shrink a huge supply chain attack vector.
|
By Jens Gellynck
ENISA just published its SBOM Adoption State of Play 2026, based on a survey of 334 organizations (65% EU-based, 80% directly impacted by the Cyber Resilience Act (CRA)). It is the clearest snapshot yet of where the industry stands on software supply chain transparency, and the picture is more nuanced than "everyone's on board." Here's what stood out.
|
By Nicholas Thomson
This post is based on Mackenzie's conversation with James Hawkins on The Secure Disclosure podcast. Listen to the full episode or watch below. PostHog's engineering team is merging roughly as many pull requests through Slack as through their code editor. As James Hawkins, co-founder and co-CEO of PostHog, explains on the podcast, the shift towards dispersed coding interfaces is underway. "Why are code editors all desktop apps right now? That's a relic of the past.
|
By Samuel Vandamme
Most security teams check the EDR box, check the proxy box, and move on. Against supply chain malware, neither provides meaningful protection because they were built for a different problem. Traditional malware has a way of sneaking onto a machine, whereas supply chain malware gets invited. The developer runs npm install, and the malicious code lands with full permission to execute. That inversion breaks both tools at the design level.
|
By Dania Durnas
Mythos doesn’t need to be treated as the biggest and baddest in the room. Don’t get me wrong. Depending on the benchmark you’re evaluating against, Mythos is among the top models available today, and generally the best at reasoning. But it’s not leaps and bounds ahead of the race. And when it comes to practical use cases, throwing a general model, even a cutting-edge frontier model, at a problem doesn’t get the best results. Nor is it scalable or cost-effective.
|
By Nicholas Thomson
Mobile Device Management (MDM) is a type of software used by organizations to secure, manage, and monitor their employees' mobile devices. Tools like Jamf, Kandji, and Microsoft Intune give IT teams visibility and control over every sanctioned application across the fleet. For compliance frameworks like SOC 2 or ISO 27001, MDM is often a core component of how you demonstrate device control and ensure data security. If your MDM is deployed, congratulations, you've solved 2012's BYOD security challenge.
|
By Charlie Eriksen
There's a new playbook in the supply chain threat landscape, where an someone builds something genuinely useful, growing a real user base. But all while stealing credentials. codexui-android is a remote web UI for OpenAI Codex. Real GitHub repo. Active development. Polished enough to get 27.000 weekly downloads. And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server.
|
By Ilyas Makari
On May 22, 2026, we detected an active supply chain attack against Laravel-Lang. We filed a report with the maintainers immediately. The attacker published malicious version tags across three widely used repositories, injecting credential-stealing code that loads automatically via composer’s autoloader feature. What makes this particularly sneaky is that the malicious code was never committed to the official repos at all.
|
By Nicholas Thomson
This post is based on Mackenzie's conversation with Noora Ahmed-Moshe on The Secure Disclosure podcast. Listen to the full episode. A company lost a million dollars because someone on a litigation call ran an AI note-taker. As behavioral scientist Noora Ahmed-Moshe explains on the podcast, the tool summarized a confidential conversation and sent it to the opposing party, who used it to force a settlement on their terms.
- June 2026 (6)
- May 2026 (8)
- April 2026 (7)
- March 2026 (7)
- February 2026 (8)
- January 2026 (3)
- December 2025 (4)
- November 2025 (5)
- October 2025 (2)
- September 2025 (7)
- August 2025 (3)
- July 2025 (3)
- June 2025 (5)
- May 2025 (9)
- April 2025 (3)
- March 2025 (5)
- February 2025 (1)
- January 2025 (5)
- December 2024 (5)
- November 2024 (6)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (5)
- May 2024 (3)
- April 2024 (1)
- March 2024 (1)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (4)
- October 2023 (1)
Aikido Security is an automated application security platform designed specifically for software engineering teams.
We secure your entire stack - code, open-source dependencies, infrastructure, and more and integrate into your existing workflows to provide visibility and control across your entire application infrastructure.
Our goal is to simplify security for developers through features like auto-triage of vulnerabilities, tied to whether the vulnerable code is actually used. This cuts through the noise, enabling engineering teams to focus on what matters most. Trusted by leading technology companies and validated by security experts, Aikido is the easiest way to implement application security monitoring and achieve compliance with regulations like ISO & SOC2.
We focus on the developer experience, allowing engineering teams to fix critical problems without security getting in the way of building.
The only platform that satisfies all code & cloud security needs for scaling dev teams.