.avif)
Vulnerabilities & Threats
The Wild West of VS Code extensions and how a poisoned extension breached GitHub
A poisoned VS Code extension breached GitHub yesterday, one day after Nx Console (2.2M installs) was compromised for 18 minutes on the Visual Studio Marketplace and reached every user with auto-update on.
Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systems
.png)
Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages
The Mini Shai-Hulud npm worm has hit Alibaba's @antv packages, echarts-for-react, and timeago.js. The payload steals CI/CD secrets, plants backdoors in VS Code and Claude Code, and spreads by republishing compromised packages. Here is what happened and how to protect your team.
Agent Skills Are Spreading Hallucinated npx Commands
AI agent skills are propagating hallucinated npx commands, creating real security and reliability risks for developers and supply chains.
Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858)
A critical vulnerability in n8n (CVE-2026-21858) allows unauthenticated remote code execution on self-hosted instances. Learn who is affected and how to remediate.
JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack
A deep technical analysis of the NeoShadow npm supply-chain attack, detailing how JavaScript, MSBuild, and blockchain techniques were combined to compromise developers.
IDOR Vulnerabilities Explained: Why They Persist in Modern Applications
Learn what an IDOR vulnerability is, why insecure direct object references persist in modern APIs, and why traditional testing tools struggle to detect real authorization failures.
MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It
MongoBleed, tracked as CVE-2025-14847, allows unauthenticated memory disclosure in MongoDB via zlib compression. See impact and remediation.
First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson
We uncovered the first sophisticated malware campaign on Maven Central: a typosquatted Jackson package delivering multi-stage payloads and Cobalt Strike beacons via Spring Boot auto-execution.
The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security
A deep dive into a GitHub security flaw where forked commits let attackers spoof dependencies. Understand the commit SHA issue and why package managers need API-level protection.
React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell
CVE-2025-55184 is a React Server Components DoS flaw related to React2Shell. Learn who’s affected, how it works, and how to fully patch it.
PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents
AI-driven GitHub Actions expose new prompt-injection supply chain vulnerabilities.
Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
