.avif)
Vulnerabilities & Threats
The Wild West of VS Code extensions and how a poisoned extension breached GitHub
A poisoned VS Code extension breached GitHub yesterday, one day after Nx Console (2.2M installs) was compromised for 18 minutes on the Visual Studio Marketplace and reached every user with auto-update on.
Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systems
.png)
Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages
The Mini Shai-Hulud npm worm has hit Alibaba's @antv packages, echarts-for-react, and timeago.js. The payload steals CI/CD secrets, plants backdoors in VS Code and Claude Code, and spreads by republishing compromised packages. Here is what happened and how to protect your team.
Glassworm Strikes Popular React Native Phone Number Packages
Aikido Security researchers recovered and decrypted the full payload chain from two malicious React Native packages. Here's what the malware does and what to look for.
Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.
How Security Teams Fight Back Against AI-Powered Hackers
AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.
Persistent XSS/RCE using WebSockets in Storybook’s dev server
CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise. Learn the attack path, impact, and how to remediate.
Astro Full-Read SSRF via Host Header Injection
Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. Learn how Host header injection in prerendered error pages allowed full internal network access.
SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel
SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if you’re vulnerable and how to mitigate risk.
npm backdoor lets hackers hijack gambling outcomes
A targeted npm supply chain attack installs an Express backdoor, enables remote SQL/file access, and rewrites gambling balances while keeping logs consistent.
npx Confusion: Packages That Forgot to Claim Their Own Name
We claimed 128 unclaimed npm package names that official docs told developers to npx. Seven months later: 121,000 downloads. All would have run arbitrary code.
Fake Clawdbot VS Code Extension Installs ScreenConnect RAT
A malicious VS Code extension impersonating Clawdbot is installing ScreenConnect RAT on developer machines.
G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets
npm package ansi-universal-ui delivers GWagon infostealer targeting 100+ crypto wallets, browser credentials, and cloud keys. We analyzed all 10 versions as the attacker iterated in real-time.
Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
