Aikido
Start for Free
No CC required

Welcome to our blog.

Featured
Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
Glassworm Returns: Invisible Unicode Malware Found in 150+ GitHub Repositories
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.
Glassworm is back with a new wave of invisible Unicode attacks. We’re tracking a fresh campaign quietly compromising repositories across GitHub, npm, and VS Code.
Vulnerabilities & Threats
Ilyas Makari
Top RSAC 2026 Parties, Side-Events & Security Meetups
RSAC 2026 Parties & Security Events Guide | Aikido
RSAC 2026 Parties & Security Events Guide | Aikido
News
Ruben Camerlynck
How Security Teams Fight Back Against AI-Powered Hackers
How Security Teams Fight Back Against AI-Powered Hackers
AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.
A single hacker and a Claude subscription just took down nine Mexican government agencies. AI has handed attackers a serious power upgrade. Security teams need a new playbook.
Vulnerabilities & Threats
Dania Durnas
Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks
Betterleaks: The Gitleaks Successor Built for Faster Secrets Scanning
Betterleaks is a new open source secrets scanner from the creator of Gitleaks. A drop-in replacement with faster scans, token efficiency detection, configurable validation, and more.
The creator of Gitleaks is launching its successor. Betterleaks is a faster open source secrets scanner built to catch more leaks and fit modern developer workflows.
Product & Company Updates
Zach Rice
How does AI pentesting work with compliance?
How does AI Pentesting Work with Compliance?
AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.
AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.
Compliance
Dania Durnas
Trump’s 2026 cybersecurity strategy: From compliance to consequence
Trump’s 2026 Cybersecurity Strategy: From Compliance to Consequence
The Trump administration’s 2026 cybersecurity strategy shifts the focus from compliance checklists to real consequences for cybercriminals. Here’s what CISOs need to know.
News
Mike Wilkes
What continuous pentesting actually requires
Continuous pentesting: how it works and what it requires
Continuous pentesting promises real-time security validation, but most implementations fall short. Here’s what continuous pentesting actually requires—from change-aware testing to exploit validation and remediation loops.
Continuous pentesting is widely discussed, but rarely defined clearly. This piece breaks down what it is, what it isn’t, and what it actually requires.
Guides & Best Practices
Sooraj Shah
Rare Not Random: Using Token Efficiency for Secrets Scanning
Rare Not Random: Using Token Efficiency for Secrets Scanning
Entropy often struggles with generic secrets and short strings. We look at how token efficiency can better identify strings that don’t look like normal text.
Entropy is great at spotting randomness. But secrets aren’t always random. They’re just strings that don’t show up in normal code or text. We explore using BPE tokenization to measure that difference.
Guides & Best Practices
Zach Rice
Why Determinism Is Still a Necessity in Security
Why Determinism Is Still a Necessity in Security
AI scanning finds what rules miss. Deterministic scanning finds it every time. Here's why the best security pipelines don't choose between them.
AI-powered security tools are getting better at finding vulnerabilities. But deterministic tools give you the consistency that pipelines, compliance, and audit trails depend on. We look at what deterministic scanning does well, where AI takes over, and how the two work together for effective security.
Engineering
Dania Durnas
WAF vs. RASP vs. ADR
WAF vs. RASP vs. ADR: How Runtime Application Security Works
WAF, RASP, and ADR protect your app in completely different ways. Here's what each layer actually does, where it falls short, and which ones you need.
WAF, RASP, ADR, eBPF — We're clearing up the terminology around runtime application security. Here's what each layer actually does, how they overlap, and how they fit together
Guides
Dania Durnas
Introducing Aikido Infinite: A new model of self-securing software
Aikido Infinite: Continuous AI Pentesting for Every Release
Aikido Infinite runs AI penetration testing on every code change, validates exploitability, generates patches, and retests fixes before code hits production, making self-securing software a reality.
Aikido
Madeline Lawrence
Persistent XSS/RCE using WebSockets in Storybook’s dev server
Persistent XSS/RCE using WebSockets in Storybook (CVE-2026-27148)
CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise. Learn the attack path, impact, and how to remediate.
Aikido Attack found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. We walk through how an attacker can exploit this without any user interaction at all, and a developer just has to visit the wrong website while to run into this attack.
Vulnerabilities & Threats
Robbe Verwilghen
How Aikido secures AI pentesting agents by design
How Aikido Secures AI Pentesting Agents and Prevents Scope Drift
Learn how Aikido secures AI pentesting agents with architectural isolation, runtime scope enforcement, and network-level controls to prevent production drift and data leakage.
AI agents are built to explore. In cybersecurity, that exploration needs strict boundaries. This article explains how Aikido secures AI pentesting agents through architectural isolation, runtime scope enforcement, and layered controls that contain risk by design.
Product & Company Updates
Sooraj Shah
Astro Full-Read SSRF via Host Header Injection
Astro SSRF Vulnerability: Host Header Injection in SSR Error Pages (CVE-2026-25545)
Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. Learn how Host header injection in prerendered error pages allowed full internal network access.
Aikido's AI pentesting agent discovered an SSRF vulnerability in Astro's Node.js adapter. We'll look at how by injecting a malicious Host: header, attackers could redirect an internal request to any URL on the local network.
Vulnerabilities & Threats
Jorian Woltjer
How to Get Your Board to Care About Security (Before a Breach Forces the Issue)
How to Get Your Board to Care About Security Before a Breach
Boards don’t fund security because it’s important. They fund defensible decisions. Here’s how to frame risk, reduce ambiguity, and win real support before a breach forces the issue.
Guides
Mike Wilkes
What is Slopsquatting? The AI Package Hallucination Attack Already Happening
Slopsquatting: The AI Package Hallucination Attack Already Happening
AI models hallucinate npm package names. Attackers register them first. Here's what slopsquatting is, how it's spreading through agent skills, and how to protect yourself.
AI models hallucinate package names — and attackers are registering them before anyone notices. Slopsquatting is the AI-era evolution of typosquatting, and unlike its predecessor, npm's existing protections don't work. We look at the real-world research showing it's already happening, from confirmed malicious packages still pulling hundreds of weekly downloads to a hallucinated package name that spread to 237 repositories through AI agent skill files.
Guides & Best Practices
Dania Durnas
Top 6 Wiz Code Alternatives
Wiz Code Alternatives (2026): 6 Tools Compared and Best Developer-First Option
Looking for Wiz Code alternatives? Compare 6 tools across SAST, DAST, SCA, pricing, and developer experience to find the best AppSec platform for 2026.
This guide compares Wiz Code against six alternatives: Aikido Security, Snyk, Checkmarx, GitHub Advanced Security, Mend, and Veracode, evaluated on coverage, developer experience, AI-powered triage, pricing transparency, and deployment speed. Aikido Security comes out on top for teams wanting a developer-first platform with broad coverage, 85% false positive reduction, AI AutoFix across SAST, IaC and containers, native DAST, and transparent pricing at roughly one-tenth the cost of Wiz.
Guides & Best Practices
Dania Durnas
Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report
Aikido Named AppSec Platform Leader in Latio 2026 Report
Aikido Security recognized as Platform Leader, AI Pentesting Innovator, and Supply Chain Innovator in Latio Tech’s 2026 AppSec Report.
Latio Tech’s 2026 AppSec Report names Aikido a Platform Leader and AI Innovator. Here’s what the report reveals about the future of application security.
News
Sooraj Shah
From detection to prevention: How Zen stops IDOR vulnerabilities at runtime
From Detection to Prevention: Zen Stops IDOR at Runtime | Aikido
IDOR vulnerabilities are one of the most common causes of cross-tenant data leaks in multi-tenant SaaS. Learn how Zen enforces tenant isolation at runtime by analyzing SQL queries and preventing unsafe access before it ships.
IDOR vulnerabilities are a leading cause of cross-tenant data leaks in multi-tenant applications. In this post, we explain how Zen moves beyond detection and enforces tenant isolation at runtime, making cross-tenant access impossible to ship by accident.
Product & Company Updates
Hans Ott
npm backdoor lets hackers hijack gambling outcomes
npm supply chain attack hijacks game backend to rig gambling outcomes
A targeted npm supply chain attack installs an Express backdoor, enables remote SQL/file access, and rewrites gambling balances while keeping logs consistent.
We uncovered malicious npm packages that can modify gambling transactions in production, and keep the database internally consistent afterward.
Vulnerabilities & Threats
Ilyas Makari
Why Trying to Secure OpenClaw is Ridiculous
Why Trying to Secure OpenClaw is Ridiculous
OpenClaw's security issues explained: malware in ClawHub, exposed instances, and why hardening guides miss the point. Can you use the AI agent safely??
News
Dania Durnas
Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code
Upgrade Impact Analysis: When Breaking Changes Actually Matter | Aikido
Aikido automatically detects breaking changes in dependency upgrades and analyzes your codebase to show real impact, so teams can merge security fixes safely.
Aikido’s Upgrade Impact Analysis flags breaking changes in dependency updates and shows whether those changes actually impact your code.
Product & Company Updates
Sooraj Shah
Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security?
Claude Opus 4.6 Found 500 Vulnerabilities: What It Means for Software Security
Anthropic claims Claude Opus 4.6 uncovered 500+ high-severity vulnerabilities in open source. Here’s what that means for vulnerability discovery, exploitability validation, and production security workflows.
Claude Opus 4.6 reportedly found 500+ high-severity vulnerabilities in open source. This piece examines what that actually changes in production, where LLM reasoning helps, and why validation and reachability still determine real security impact.
News
Sooraj Shah
Introducing Aikido Expansion Packs: Safer defaults inside the IDE
Aikido Expansion Packs: Safer Defaults Inside the IDE
Aikido Expansion Packs add focused security controls directly inside your IDE. Enable secrets protection, supply chain malware checks, and AI-assisted code security without changing developer workflows.
Product & Company Updates
Trusha Sharma
International AI Safety Report 2026: What It Means for Autonomous AI Systems
International AI Safety Report 2026: Aikido Security Analysis
Aikido Security's analysis of the International AI Safety Report 2026. We examine deployment-time controls, validation requirements, and practical safety baselines for autonomous AI systems.
Over 100 experts contributed to the International AI Safety Report 2026, documenting risks from autonomous AI systems and proposing defense-in-depth frameworks. As a team operating AI pentesting systems in production, we break down where the report gets it right and where it needs more technical specificity.
News
Dania Durnas
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
March 13, 2026
Vulnerabilities & Threats

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories

Glassworm is back with a new wave of invisible Unicode attacks. We’re tracking a fresh campaign quietly compromising repositories across GitHub, npm, and VS Code.

#NPM

March 12, 2026
Product & Company Updates

Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks

The creator of Gitleaks is launching its successor. Betterleaks is a faster open source secrets scanner built to catch more leaks and fit modern developer workflows.

No items found.
March 6, 2026
Guides & Best Practices

What continuous pentesting actually requires

Continuous pentesting is widely discussed, but rarely defined clearly. This piece breaks down what it is, what it isn’t, and what it actually requires.

No items found.
2026

2026 State of AI in Security & Development

Our new report captures the voices of 450 security leaders (CISOs or equivalent), developers, and AppSec engineers across Europe and the US. Together, they reveal how AI-generated code is already breaking things, how tool sprawl is making security worse, and how developer experience is directly tied to incident rates. This is where speed and safety collide in 2025.

Read more
Title card reading '2026 State of AI in Security & Development' on a dark blue grid background.

Subscribe to our newsletter.
No spam, guaranteed.

Customer Stories

See how teams like yours are using Aikido to simplify security and ship with confidence.

See all

Compliance

Stay ahead of audits with clear, dev-friendly guidance on SOC 2, ISO standards, GDPR, NIS, and more.

See all

Guides & Best Practices

Actionable tips, security workflows, and how-to guides to help you ship safer code faster.

See all

DevSec Tools & Comparisons

Deep dives and side-by-sides of the top tools in the AppSec and DevSecOps landscape.

See all

Vulnerabilities & Threats

Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.

See all

Product & Company Updates

What’s new at Aikido—from product launches to big security wins.

See all
Aikido Zen
IDOR vulnerabilities
IDE Security
Announcements
European Cyber Security
Continuous Pentesting
AI Safety
Self-securing Software
SSDLC
VS Code
AI Penetration Testing
Threat Modeling
Cyber Resilience Act
Triaging
AutoTriage
Pentesting
Bazel
Code Quality
OWASP
NIS2
Legaltech
fintech
RASP
End of Life
SQL Injections
DAST
cnapp
cspm
aspm
Infrastructure as a Code IaC
Network Security Monitoring
License Scanners
SBOM
Container Scanning
AppSec
Vulnerabilities
Software Supply Chain Security
API
Dependencies
Continuous Security Monitoring
DevSecOps
Vibe Coding
AI
NPM
autofix
Malware
Article
open-source
SCA
intel
SOC 2
usecase
Tools
SAST
Compliance
CircleCI
Codeship
IMDSv2
Cloud
IMDSv1
SSRF
AWS
Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
Glassworm Returns: Invisible Unicode Malware Found in 150+ GitHub Repositories
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.
Glassworm is back with a new wave of invisible Unicode attacks. We’re tracking a fresh campaign quietly compromising repositories across GitHub, npm, and VS Code.
Vulnerabilities & Threats
Top RSAC 2026 Parties, Side-Events & Security Meetups
RSAC 2026 Parties & Security Events Guide | Aikido
RSAC 2026 Parties & Security Events Guide | Aikido
News
How Security Teams Fight Back Against AI-Powered Hackers
How Security Teams Fight Back Against AI-Powered Hackers
AI has lowered the bar for hackers dramatically. Here's what that means for defenders and how continuous AI pentesting changes the equation.
A single hacker and a Claude subscription just took down nine Mexican government agencies. AI has handed attackers a serious power upgrade. Security teams need a new playbook.
Vulnerabilities & Threats
Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks
Betterleaks: The Gitleaks Successor Built for Faster Secrets Scanning
Betterleaks is a new open source secrets scanner from the creator of Gitleaks. A drop-in replacement with faster scans, token efficiency detection, configurable validation, and more.
The creator of Gitleaks is launching its successor. Betterleaks is a faster open source secrets scanner built to catch more leaks and fit modern developer workflows.
Product & Company Updates
How does AI pentesting work with compliance?
How does AI Pentesting Work with Compliance?
AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.
AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.
Compliance
Trump’s 2026 cybersecurity strategy: From compliance to consequence
Trump’s 2026 Cybersecurity Strategy: From Compliance to Consequence
The Trump administration’s 2026 cybersecurity strategy shifts the focus from compliance checklists to real consequences for cybercriminals. Here’s what CISOs need to know.
News
What continuous pentesting actually requires
Continuous pentesting: how it works and what it requires
Continuous pentesting promises real-time security validation, but most implementations fall short. Here’s what continuous pentesting actually requires—from change-aware testing to exploit validation and remediation loops.
Continuous pentesting is widely discussed, but rarely defined clearly. This piece breaks down what it is, what it isn’t, and what it actually requires.
Guides & Best Practices
Rare Not Random: Using Token Efficiency for Secrets Scanning
Rare Not Random: Using Token Efficiency for Secrets Scanning
Entropy often struggles with generic secrets and short strings. We look at how token efficiency can better identify strings that don’t look like normal text.
Entropy is great at spotting randomness. But secrets aren’t always random. They’re just strings that don’t show up in normal code or text. We explore using BPE tokenization to measure that difference.
Guides & Best Practices
Why Determinism Is Still a Necessity in Security
Why Determinism Is Still a Necessity in Security
AI scanning finds what rules miss. Deterministic scanning finds it every time. Here's why the best security pipelines don't choose between them.
AI-powered security tools are getting better at finding vulnerabilities. But deterministic tools give you the consistency that pipelines, compliance, and audit trails depend on. We look at what deterministic scanning does well, where AI takes over, and how the two work together for effective security.
Engineering
WAF vs. RASP vs. ADR
WAF vs. RASP vs. ADR: How Runtime Application Security Works
WAF, RASP, and ADR protect your app in completely different ways. Here's what each layer actually does, where it falls short, and which ones you need.
WAF, RASP, ADR, eBPF — We're clearing up the terminology around runtime application security. Here's what each layer actually does, how they overlap, and how they fit together
Guides
Introducing Aikido Infinite: A new model of self-securing software
Aikido Infinite: Continuous AI Pentesting for Every Release
Aikido Infinite runs AI penetration testing on every code change, validates exploitability, generates patches, and retests fixes before code hits production, making self-securing software a reality.
Aikido
Persistent XSS/RCE using WebSockets in Storybook’s dev server
Persistent XSS/RCE using WebSockets in Storybook (CVE-2026-27148)
CVE-2026-27148 exposes a WebSocket hijacking flaw in Storybook that can escalate into supply chain compromise. Learn the attack path, impact, and how to remediate.
Aikido Attack found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. We walk through how an attacker can exploit this without any user interaction at all, and a developer just has to visit the wrong website while to run into this attack.
Vulnerabilities & Threats
How Aikido secures AI pentesting agents by design
How Aikido Secures AI Pentesting Agents and Prevents Scope Drift
Learn how Aikido secures AI pentesting agents with architectural isolation, runtime scope enforcement, and network-level controls to prevent production drift and data leakage.
AI agents are built to explore. In cybersecurity, that exploration needs strict boundaries. This article explains how Aikido secures AI pentesting agents through architectural isolation, runtime scope enforcement, and layered controls that contain risk by design.
Product & Company Updates
Astro Full-Read SSRF via Host Header Injection
Astro SSRF Vulnerability: Host Header Injection in SSR Error Pages (CVE-2026-25545)
Aikido Security's AI pentesting agent discovered a Server-Side Request Forgery vulnerability in Astro's SSR implementation. Learn how Host header injection in prerendered error pages allowed full internal network access.
Aikido's AI pentesting agent discovered an SSRF vulnerability in Astro's Node.js adapter. We'll look at how by injecting a malicious Host: header, attackers could redirect an internal request to any URL on the local network.
Vulnerabilities & Threats
How to Get Your Board to Care About Security (Before a Breach Forces the Issue)
How to Get Your Board to Care About Security Before a Breach
Boards don’t fund security because it’s important. They fund defensible decisions. Here’s how to frame risk, reduce ambiguity, and win real support before a breach forces the issue.
Guides
What is Slopsquatting? The AI Package Hallucination Attack Already Happening
Slopsquatting: The AI Package Hallucination Attack Already Happening
AI models hallucinate npm package names. Attackers register them first. Here's what slopsquatting is, how it's spreading through agent skills, and how to protect yourself.
AI models hallucinate package names — and attackers are registering them before anyone notices. Slopsquatting is the AI-era evolution of typosquatting, and unlike its predecessor, npm's existing protections don't work. We look at the real-world research showing it's already happening, from confirmed malicious packages still pulling hundreds of weekly downloads to a hallucinated package name that spread to 237 repositories through AI agent skill files.
Guides & Best Practices
Top 6 Wiz Code Alternatives
Wiz Code Alternatives (2026): 6 Tools Compared and Best Developer-First Option
Looking for Wiz Code alternatives? Compare 6 tools across SAST, DAST, SCA, pricing, and developer experience to find the best AppSec platform for 2026.
This guide compares Wiz Code against six alternatives: Aikido Security, Snyk, Checkmarx, GitHub Advanced Security, Mend, and Veracode, evaluated on coverage, developer experience, AI-powered triage, pricing transparency, and deployment speed. Aikido Security comes out on top for teams wanting a developer-first platform with broad coverage, 85% false positive reduction, AI AutoFix across SAST, IaC and containers, native DAST, and transparent pricing at roughly one-tenth the cost of Wiz.
Guides & Best Practices
Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report
Aikido Named AppSec Platform Leader in Latio 2026 Report
Aikido Security recognized as Platform Leader, AI Pentesting Innovator, and Supply Chain Innovator in Latio Tech’s 2026 AppSec Report.
Latio Tech’s 2026 AppSec Report names Aikido a Platform Leader and AI Innovator. Here’s what the report reveals about the future of application security.
News
From detection to prevention: How Zen stops IDOR vulnerabilities at runtime
From Detection to Prevention: Zen Stops IDOR at Runtime | Aikido
IDOR vulnerabilities are one of the most common causes of cross-tenant data leaks in multi-tenant SaaS. Learn how Zen enforces tenant isolation at runtime by analyzing SQL queries and preventing unsafe access before it ships.
IDOR vulnerabilities are a leading cause of cross-tenant data leaks in multi-tenant applications. In this post, we explain how Zen moves beyond detection and enforces tenant isolation at runtime, making cross-tenant access impossible to ship by accident.
Product & Company Updates
npm backdoor lets hackers hijack gambling outcomes
npm supply chain attack hijacks game backend to rig gambling outcomes
A targeted npm supply chain attack installs an Express backdoor, enables remote SQL/file access, and rewrites gambling balances while keeping logs consistent.
We uncovered malicious npm packages that can modify gambling transactions in production, and keep the database internally consistent afterward.
Vulnerabilities & Threats
Why Trying to Secure OpenClaw is Ridiculous
Why Trying to Secure OpenClaw is Ridiculous
OpenClaw's security issues explained: malware in ClawHub, exposed instances, and why hardening guides miss the point. Can you use the AI agent safely??
News
Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code
Upgrade Impact Analysis: When Breaking Changes Actually Matter | Aikido
Aikido automatically detects breaking changes in dependency upgrades and analyzes your codebase to show real impact, so teams can merge security fixes safely.
Aikido’s Upgrade Impact Analysis flags breaking changes in dependency updates and shows whether those changes actually impact your code.
Product & Company Updates
Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security?
Claude Opus 4.6 Found 500 Vulnerabilities: What It Means for Software Security
Anthropic claims Claude Opus 4.6 uncovered 500+ high-severity vulnerabilities in open source. Here’s what that means for vulnerability discovery, exploitability validation, and production security workflows.
Claude Opus 4.6 reportedly found 500+ high-severity vulnerabilities in open source. This piece examines what that actually changes in production, where LLM reasoning helps, and why validation and reachability still determine real security impact.
News
Introducing Aikido Expansion Packs: Safer defaults inside the IDE
Aikido Expansion Packs: Safer Defaults Inside the IDE
Aikido Expansion Packs add focused security controls directly inside your IDE. Enable secrets protection, supply chain malware checks, and AI-assisted code security without changing developer workflows.
Product & Company Updates
International AI Safety Report 2026: What It Means for Autonomous AI Systems
International AI Safety Report 2026: Aikido Security Analysis
Aikido Security's analysis of the International AI Safety Report 2026. We examine deployment-time controls, validation requirements, and practical safety baselines for autonomous AI systems.
Over 100 experts contributed to the International AI Safety Report 2026, documenting risks from autonomous AI systems and proposing defense-in-depth frameworks. As a team operating AI pentesting systems in production, we break down where the report gets it right and where it needs more technical specificity.
News
Self-Securing Software: What It Is, Why It Matters, and How It Works
What Is Self-Securing Software? A New Security Model for Modern Software
Self-securing software is a security model where systems continuously validate and remediate real risk as they change. Learn why periodic testing no longer scales.
Self-securing software treats security as a built-in system capability, not a periodic process. This article explains why modern software demands a new security model and what makes it possible today.
Product & Company Updates
Secure SDLC for Engineering Teams (+ Checklist)
Secure SDLC Explained: The 5 Pillars of a Secure Software Development Lifecycle
Learn what a Secure SDLC is, why it matters, and the five pillars every team needs. Includes a practical Secure SDLC checklist for CTOs and engineering leaders.
Guides & Best Practices
Top 10 AI Security Tools For 2026
Top 10 AI Security Tools for 2026: Features, Pros, and Comparisons
Explore the top AI security tools for 2026. Compare platforms for AI code review, vulnerability detection, pentesting, and risk management to secure modern applications.
DevSec Tools & Comparisons
Building Continuous Compliance with Aikido and Comp AI
Continuous Compliance With Aikido and Comp AI
Learn how Aikido and Comp AI enable continuous compliance by turning real-time security data into always-up-to-date audit evidence for SOC 2, ISO 27001, HIPAA, and GDPR.
Product & Company Updates
Top 10 Cyber Security Tools For 2026
Top 10 Cybersecurity Tools for 2026: Detection, Cloud, XDR & AppSec
A practical breakdown of the top 10 cybersecurity tools for 2026, covering endpoint, cloud, identity, vulnerability management, and XDR. Learn how to choose the right tool for your stack and risk profile.
DevSec Tools & Comparisons
What Is Continuous Pentesting?
What Is Continuous Pentesting? How Modern Teams Reduce Exploitable Risk
Continuous pentesting automatically tests real attack paths every time software changes, validating and fixing issues as part of the development lifecycle. Learn how it compares to AI and manual pentesting.
Continuous pentesting treats security as a living system, not a one-off test. Learn how modern teams use it to reduce exploitable risk as software changes.
Guides & Best Practices
npx Confusion: Packages That Forgot to Claim Their Own Name
npx Confusion: Packages That Forgot to Claim Their Own Name
We claimed 128 unclaimed npm package names that official docs told developers to npx. Seven months later: 121,000 downloads. All would have run arbitrary code.
Official documentation tells developers to run `npx package-name`. But what if nobody claimed that name? We registered 128 of them and watched. 121,000 downloads in seven months. The holiday dip proves they're real developers, not bots.
Vulnerabilities & Threats
Introducing Aikido Package Health: a Better Way to Trust Your Dependencies
Aikido Package Health: Health Score for Open Source Packages
See how stable and well-maintained an open source package really is. Aikido Package Health helps devs choose safer dependencies with confidence.
Product & Company Updates
AI Pentesting: Minimum Safety Requirements for Security Testing
When Is AI Pentesting Safe? Minimum Safety Requirements for Security Testing
AI pentesting systems act autonomously against live environments. Learn when AI pentesting is safe to use, the minimum technical safeguards required, and how to evaluate AI security testing tools responsibly.
AI pentesting is already here, but clear safety expectations are not. This article defines a minimum safety standard for AI pentesting, giving teams a concrete baseline to evaluate emerging tools.
Guides & Best Practices
Fake Clawdbot VS Code Extension Installs ScreenConnect RAT
Fake Clawdbot VS Code Extension Installs ScreenConnect RAT
A malicious VS Code extension impersonating Clawdbot is installing ScreenConnect RAT on developer machines.
A malicious VS Code extension impersonating Clawdbot is installing ScreenConnect RAT on developer machines.
Vulnerabilities & Threats
The Top 7 Threat Intelligence Tools in 2026
Top 7 Threat Intelligence Tools in 2026: Cut Noise and Focus on Real Risk
A deep dive into the top threat intelligence tools of 2026, comparing how they reduce alert fatigue, add context, and help teams prioritize real-world security risks.
DevSec Tools & Comparisons
Top 14 VS Code Extensions for 2026
Top 14 VS Code Extensions for 2026: Productivity, Testing, Security, and Collaboration
A practical guide to the best VS Code extensions for 2026, covering productivity, testing, collaboration, and security tools that improve real-world developer workflows.
DevSec Tools & Comparisons
G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets
G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets
npm package ansi-universal-ui delivers GWagon infostealer targeting 100+ crypto wallets, browser credentials, and cloud keys. We analyzed all 10 versions as the attacker iterated in real-time.
Vulnerabilities & Threats
Pentest GPT: How LLMs Are Reshaping Penetration Testing
Pentest GPT: How AI Is Changing Penetration Testing
Explore how Pentest GPT uses LLMs to automate attack reasoning, simulate real exploits, and scale testing. See how Aikido validates every finding.
DevSec Tools & Comparisons
Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages
Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages
A targeted spear-phishing campaign used npm packages and jsDelivr as free phishing infrastructure, serving custom credential harvesters per victim
Vulnerabilities & Threats
Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT
Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT
Attackers published fake spellchecker packages to PyPI with malware hidden in plain sight. We break down the attack and what developers need to watch for.
Vulnerabilities & Threats
SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel
SvelteSpill: Critical Cache Deception Bug in SvelteKit + Vercel
SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if you’re vulnerable and how to mitigate risk.
Our AI pentesting system discovered and reproduced a high-severity vulnerability in default SvelteKit deployments on Vercel. Here’s how it traced a cross-layer flaw across 150,000 lines of code.
Vulnerabilities & Threats
Agent Skills Are Spreading Hallucinated npx Commands
Agent Skills Are Spreading Hallucinated npx Commands
AI agent skills are propagating hallucinated npx commands, creating real security and reliability risks for developers and supply chains.
Vulnerabilities & Threats
Understanding Open-Source License Risk in Modern Software
Understanding Open-Source License Risk in Modern Software
Open-source license risk hides in dependencies and container images. Learn what it is, why it matters, and how to catch issues early.
Open source moves fast, but its licenses still have rules. This piece breaks down what open-source license risk is, why teams keep missing it in modern dependency trees, and how to stay compliant without turning it into a legal fire drill.
Guides & Best Practices
The CISO Vibe Coding Checklist for Security
CISO Vibe Coding Checklist: Securing AI-Built Apps
A practical security checklist for CISOs managing AI and vibe-coded applications. Covers technical guardrails, AI controls, and organizational policies.
AI-powered vibe coding lets anyone ship software. This post outlines the security risks CISOs are facing and introduces a practical checklist, informed by CISOs at Lovable and Supabase.
Guides & Best Practices
From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B
Aikido Security Raises $60M at a $1B valuation
Aikido announces $60M Series B funding at a $1B valuation, accelerating its vision for self-securing software and continuous penetration testing.
Aikido becomes one of the fastest cybersecurity companies to reach unicorn status globally, and the fastest ever in Europe.
Product & Company Updates
Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858)
n8n Critical Vulnerability (CVE-2026-21858) | Unauthenticated RCE Explained
A critical vulnerability in n8n (CVE-2026-21858) allows unauthenticated remote code execution on self-hosted instances. Learn who is affected and how to remediate.
Vulnerabilities & Threats
AI-Driven Pentesting of Coolify: Seven CVEs Identified
Seven CVEs in Coolify Identified Through AI Pentesting | Aikido
AI-driven pentesting of Coolify identified seven CVEs, including privilege escalation and remote code execution vulnerabilities. Findings were responsibly disclosed and fixed.
Aikido
JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack
NeoShadow npm Supply-Chain Attack: JavaScript, MSBuild & Blockchain
A deep technical analysis of the NeoShadow npm supply-chain attack, detailing how JavaScript, MSBuild, and blockchain techniques were combined to compromise developers.
Vulnerabilities & Threats
SAST vs SCA: Securing the Code You Write and the Code You Depend On
SAST vs SCA Explained: Securing Your Code and Dependencies
earn how SAST and SCA differ, what risks each addresses, and why modern AppSec teams need both to secure code and dependencies.
Technical
Top 6 Continuous Pentesting Tools in 2026
Top 6 Continuous Pentesting Tools in 2026
Discover the leading continuous pentesting tools that provide real-time, AI-powered security testing for modern applications.
DevSec Tools & Comparisons
How Engineering and Security Teams Can Meet DORA’s Technical Requirements
DORA Technical Requirements for Engineering & Security Teams
Understand DORA’s technical requirements for engineering and security teams, including resilience testing, risk management, and audit-ready evidence.
Compliance
IDOR Vulnerabilities Explained: Why They Persist in Modern Applications
IDOR Vulnerability Explained: Why Insecure Direct Object References Persist
Learn what an IDOR vulnerability is, why insecure direct object references persist in modern APIs, and why traditional testing tools struggle to detect real authorization failures.
Learn what an IDOR vulnerability is, why insecure direct object references persist in modern APIs, and why traditional testing tools struggle to detect real authorization failures.
Vulnerabilities & Threats
Shai Hulud strikes again - The golden path
Shai Hulud strikes again - The golden path
A new strain of Shai Hulud has been observed in the wild.
Vulnerabilities & Threats
MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It
MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847)
MongoBleed, tracked as CVE-2025-14847, allows unauthenticated memory disclosure in MongoDB via zlib compression. See impact and remediation.
Vulnerabilities & Threats
First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson
Maven Central Malware: Jackson Typosquatting Delivers Cobalt Strike Payload
We uncovered the first sophisticated malware campaign on Maven Central: a typosquatted Jackson package delivering multi-stage payloads and Cobalt Strike beacons via Spring Boot auto-execution.
Vulnerabilities & Threats
The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security
The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security
A deep dive into a GitHub security flaw where forked commits let attackers spoof dependencies. Understand the commit SHA issue and why package managers need API-level protection.
Vulnerabilities & Threats
SAST in the IDE is now free: Moving SAST to where development actually happens
Free SAST Scanning in Your IDE
Run free SAST scans directly in your IDE with real-time feedback and project-wide visibility. Use the same SAST rules and engine as Aikido, with optional AutoFix for supported findings.
Product & Company Updates
AI Pentesting in Action: A TL;DV Recap of Our Live Demo
Aikido AI Pentesting: Live Demo Recap & FAQ
A recap of Aikido’s AI pentesting live demo. See how autonomous agents test real apps, validate findings, generate reports, and enable retesting.
Guides
Top 7 Cloud Security Vulnerabilities
Top 7 Cloud Security Vulnerabilities and How to Prevent Them
Discover the top seven cloud security vulnerabilities affecting modern environments. Learn how attackers exploit IMDS, Kubernetes, misconfigurations, and more, and explore strategies to protect your cloud infrastructure effectively.
Guides & Best Practices
How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams
Complying With the UK Cybersecurity & Resilience Bill | Security Guide
Learn how to meet the UK Cybersecurity & Resilience Bill requirements, from secure-by-design practices to SBOM transparency, supply chain security, and continuous compliance.
Compliance
React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell
React & Next.js DoS Vulnerability (CVE-2025-55184) Explained
CVE-2025-55184 is a React Server Components DoS flaw related to React2Shell. Learn who’s affected, how it works, and how to fully patch it.
Vulnerabilities & Threats
Top Software Supply Chain Security Vulnerabilities Explained
Software Supply Chain Security Vulnerabilities
Understand the biggest software supply chain security vulnerabilities, from malicious packages to dependency confusion attacks.
Guides & Best Practices
Top 10 JavaScript Security Vulnerabilities in Modern Web Apps
JavaScript Security Vulnerabilities | Top Risks
Learn the most frequent JavaScript security vulnerabilities affecting frontend and backend apps, including real-world attack vectors.
Guides & Best Practices
Top 10 Python Security Vulnerabilities Developers Should Avoid
Python Security Vulnerabilities | Top Issues
A practical overview of the most common Python security vulnerabilities, insecure patterns, and dependency-related risks.
Guides & Best Practices
Top 10 Code Security Vulnerabilities Found in Modern Applications
Code Security Vulnerabilities | Common Risks
Explore the most common code security vulnerabilities developers introduce, why they happen, and how teams can catch them earlier.
Guides & Best Practices
Top 9 Kubernetes Security Vulnerabilities and Misconfigurations
Kubernetes Security Vulnerabilities | Top Risks
Learn the most critical Kubernetes security vulnerabilities, common misconfigurations, and why clusters are often exposed by default.
Guides & Best Practices
Top 10 Web Application Security Vulnerabilities Every Team Should Know
Web Application Security Vulnerabilities | Top Risks
Discover the most common web application security vulnerabilities, real-world examples, and how modern teams can reduce risk early.
Guides & Best Practices
OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know
OWASP Top 10 for Agentic Applications (2026): Full Guide to AI Agent Security Risks
Learn the OWASP Top 10 for Agentic Applications. Understand the top AI agent security risks, real-world examples, and how to harden your environment.
Guides & Best Practices
DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting
DAST vs Pentesting vs AI Pentesting: Key Differences Explained
Compare DAST, manual penetration testing, and AI pentesting. Learn where each approach works, where DAST falls short, and how AI pentesting enables deeper, continuous testing of modern applications.
DevSec Tools & Comparisons
Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials
Secret Detection Guide: Find & Prevent Leaks
Learn how secret detection works, what counts as a secret (API keys, tokens, creds), where teams leak them, and how to prevent exposure in git, CI, and production.
Guides & Best Practices
What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
CSPM vs CNAPP: Cloud Posture Explained
A clear breakdown of CSPM and CNAPP: what they cover, how they reduce cloud risk, key features to look for, and how teams actually adopt them.
Guides & Best Practices
Detecting and Preventing Malware in Modern Software Supply Chains
Preventing Software Supply Chain Malware (Guide)
Explore how supply chain malware lands in modern codebases (typosquatting, dependency confusion, malicious updates) and the defenses that stop it early in CI/CD.
Guides & Best Practices
What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained
IaC Security Scanning for Terraform & Kubernetes
Understand IaC security scanning: how it detects cloud misconfigurations in Terraform/Kubernetes, what to prioritize, and how to prevent risky changes before deploy.
Guides & Best Practices
The Ultimate SAST Guide: What Is Static Application Security Testing?
Ultimate SAST Guide: Static Application Security Testing
A practical SAST explainer: how static application security testing works, what issues it finds, common pitfalls, and how to roll it out without drowning devs in noise.
Guides & Best Practices
Supply Chain Security: The Ultimate Guide to Software Composition Analysis (SCA) Tools
Supply Chain Security Guide: Best SCA Tools
Learn what SCA tools do, what they detect (vulnerable dependencies, licenses, malware), and how to choose the right software composition analysis solution for your stack.
Guides & Best Practices
Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now
Critical React & Next.js RCE Vulnerability CVE-2025-55182 Fix Guide
Learn how CVE-2025-55182 and the related Next.js RCE affect React Server Components. See impact, affected versions, and how to fix. Aikido now detects both issues.
Vulnerabilities & Threats
PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents
Prompt Injection Inside GitHub Actions: The New Frontier of Supply Chain Attacks
AI-driven GitHub Actions expose new prompt-injection supply chain vulnerabilities.
Vulnerabilities & Threats
Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame
Shai Hulud 2.0: What the Unknown Wonderer Reveals About the Attackers’ Endgame
New research into the Shai Hulud 2.0 malware suggests the username UnknownWonderer1 tells us more about the attackers’ endgame.
Vulnerabilities & Threats
SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE
SCA in IDE: Scan and Fix Vulnerable Dependencies with AutoFix
Bring the full SCA workflow into your IDE with in-editor scanning and AutoFix. Detect vulnerable packages, review CVEs, and apply safe upgrades without leaving your development workflow.
Product & Company Updates
Safe Chain now enforces a minimum package age before install
SafeChain Now Enforces a Minimum 24-Hour Package Age for Safer Installs
Safe Chain now enforces a minimum 24-hour package age to stop attackers using fresh releases as an entry point. Blocks malware early and falls back to safe versions.
Product & Company Updates
Cloud Security Tools Explained: Key Capabilities & Evaluation Tips
Cloud Security Tools: Features & How to Choose
Discover the essential capabilities of Cloud Security tools and learn how to compare providers to protect your cloud environments.
Guides & Best Practices
ASPM Tools: Essential Features & How to Evaluate Vendors
ASPM Tools: Features & Evaluation Guide
Get an overview of Application Security Posture Management tools, their key capabilities, and the criteria for selecting the right ASPM platform.
Guides & Best Practices
DAST Tools: Features, Capabilities & How to Evaluate Them
DAST Tools: Key Features & Buyer’s Guide
Explore how DAST tools work, their most important features, and the evaluation criteria to consider when choosing a dynamic testing solution.
Guides & Best Practices
SAST Tools: Core Features & How to Choose the Best SAST Solution
SAST Tools: Features & Evaluation Guide
Learn the key capabilities of Static Application Security Testing tools and what to look for when selecting the ideal SAST solution for your workflow.
Guides & Best Practices
Top Javascript Security Tools
Best JavaScript Security Tools for Web & Node.js Apps
Compare top JavaScript security tools to scan npm packages, detect vulnerabilities and secure front-end and Node.js applications.
DevSec Tools & Comparisons
Top Python Security Tools
Top Python Security Tools for Safe Python Development
See the best Python security tools to scan packages, lint code, find vulnerabilities and protect your Python applications from common attacks.
DevSec Tools & Comparisons
Top Github Security Tools For Repository & Code Protection
Best GitHub Security Tools for Secure Repositories
Discover top GitHub security tools for scanning code, secrets and dependencies, protecting repos and enforcing secure development practices.
DevSec Tools & Comparisons
Top SOC 2 Compliance Tools For Automated Audit Readiness
Top SOC 2 Compliance Tools to Simplify Audits
Explore leading SOC 2 compliance tools that streamline evidence collection, map controls and simplify audits for fast-growing teams.
DevSec Tools & Comparisons
Top GCP Security Tools For Safeguarding Google Cloud
Best GCP Security Tools for Google Cloud Protection
Find the best GCP security tools to secure Google Cloud identities, networks, workloads and data with continuous monitoring and alerts.
DevSec Tools & Comparisons
Top 6 Multi-Cloud Security Tools in 2026
Top Multi-Cloud Security Tools for AWS, Azure & GCP
Discover top multi-cloud security tools that give unified visibility, policy enforcement and threat detection across AWS, Azure and GCP.
DevSec Tools & Comparisons
Top Runtime Security Tools
Best Runtime Security Tools for Cloud-Native Workloads
Learn about the best runtime security tools to detect threats in live containers, Kubernetes clusters and cloud workloads in real time.
DevSec Tools & Comparisons
Top 7 CI/CD Security Tools For 2026
Top CI/CD Security Tools for Secure Software Delivery
Explore top CI/CD security tools that protect build pipelines, sign artifacts and enforce policies across your software delivery process.
DevSec Tools & Comparisons
Top Docker Security Tools
Best Docker Security Tools for Containers & Images
See the leading Docker security tools for scanning images, monitoring containers and enforcing policies in containerized environments.
DevSec Tools & Comparisons
Top Security Monitoring Tools
Top Security Monitoring Tools for Real-Time Threat Detection
Explore top security monitoring tools, including SIEM, log analytics and observability platforms, to detect threats in real time.
DevSec Tools & Comparisons
Top Code Security Tools For Secure Software Development
Top Code Security Tools for Developers in 2025
Discover top code security tools, including SAST, SCA and secret scanning, to secure your repositories and prevent supply chain attacks.
DevSec Tools & Comparisons
Top Software Security Testing Tools
Best Software Security Testing Tools Across the SDLC
Compare the best software security testing tools to scan source code, APIs and applications throughout the SDLC and reduce risk.
DevSec Tools & Comparisons
Top 23 Enterprise Security Tools For Scaling Security Operations
Top 23 Enterprise Security Tools For Scaling Security Operations
Explore top enterprise security tools built for large organizations, covering endpoints, cloud, identities, data and compliance requirements.
DevSec Tools & Comparisons
Top Security Automation Tools
Best Security Automation Tools & SOAR Platforms in 2025
Learn about the top security automation tools and SOAR platforms that orchestrate playbooks, reduce alert fatigue and speed up response.
DevSec Tools & Comparisons
Top IAST Tools For Interactive Application Security Testing
Best IAST Tools for Interactive Application Security Testing
Discover leading IAST tools that analyze running applications, uncover vulnerabilities and improve code security during testing.
DevSec Tools & Comparisons
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
March 12, 2026
Vulnerabilities & Threats

How Security Teams Fight Back Against AI-Powered Hackers

A single hacker and a Claude subscription just took down nine Mexican government agencies. AI has handed attackers a serious power upgrade. Security teams need a new playbook.

Tags/

#AI

#Continuous Pentesting

#Self-securing Software

March 9, 2026
News

Trump’s 2026 cybersecurity strategy: From compliance to consequence

Tags/

#Compliance

March 9, 2026
Compliance

How does AI pentesting work with compliance?

AI pentesting is being accepted for SOC 2, ISO 27001, HIPAA, and PCI DSS. Here's what auditors actually look for, and where the real limitations are.

Tags/

#AI Penetration Testing

#Pentesting

March 3, 2026
Vulnerabilities & Threats

Persistent XSS/RCE using WebSockets in Storybook’s dev server

Aikido Attack found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. We walk through how an attacker can exploit this without any user interaction at all, and a developer just has to visit the wrong website while to run into this attack.

Tags/

#Vulnerabilities

#open-source

#Pentesting

March 3, 2026
Engineering

Why Determinism Is Still a Necessity in Security

AI-powered security tools are getting better at finding vulnerabilities. But deterministic tools give you the consistency that pipelines, compliance, and audit trails depend on. We look at what deterministic scanning does well, where AI takes over, and how the two work together for effective security.

Tags/

#SAST

#Tools

February 23, 2026
Guides

How to Get Your Board to Care About Security (Before a Breach Forces the Issue)

Tags/

#Article

February 20, 2026
Guides & Best Practices

What is Slopsquatting? The AI Package Hallucination Attack Already Happening

AI models hallucinate package names — and attackers are registering them before anyone notices. Slopsquatting is the AI-era evolution of typosquatting, and unlike its predecessor, npm's existing protections don't work. We look at the real-world research showing it's already happening, from confirmed malicious packages still pulling hundreds of weekly downloads to a hallucinated package name that spread to 237 repositories through AI agent skill files.

Tags/

#Vulnerabilities

#Dependencies

#NPM

February 13, 2026
News

Why Trying to Secure OpenClaw is Ridiculous

Tags/

#AI Safety

February 10, 2026
Product & Company Updates

Introducing Aikido Expansion Packs: Safer defaults inside the IDE

Tags/

#IDE Security

February 9, 2026
News

International AI Safety Report 2026: What It Means for Autonomous AI Systems

Over 100 experts contributed to the International AI Safety Report 2026, documenting risks from autonomous AI systems and proposing defense-in-depth frameworks. As a team operating AI pentesting systems in production, we break down where the report gets it right and where it needs more technical specificity.

Tags/
No items found.
February 5, 2026
Product & Company Updates

Building Continuous Compliance with Aikido and Comp AI

Tags/

#Compliance

February 3, 2026
Product & Company Updates

Introducing Aikido Package Health: a Better Way to Trust Your Dependencies

Tags/

#open-source

#intel

Product & Company Updates
See all
See all
March 12, 2026
Product & Company Updates

Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks

Betterleaks is a new open source secrets scanner from the creator of Gitleaks. A drop-in replacement with faster scans, token efficiency detection, configurable validation, and more.

February 24, 2026
Product & Company Updates

How Aikido secures AI pentesting agents by design

Learn how Aikido secures AI pentesting agents with architectural isolation, runtime scope enforcement, and network-level controls to prevent production drift and data leakage.

#
AI Penetration Testing
#
AI Safety
#
AI
February 16, 2026
Product & Company Updates

From detection to prevention: How Zen stops IDOR vulnerabilities at runtime

IDOR vulnerabilities are one of the most common causes of cross-tenant data leaks in multi-tenant SaaS. Learn how Zen enforces tenant isolation at runtime by analyzing SQL queries and preventing unsafe access before it ships.

#
RASP
Vulnerabilities & Threats
See all
See all
March 13, 2026
Vulnerabilities & Threats

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories

The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.

#
NPM
February 19, 2026
Vulnerabilities & Threats

SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel

SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if you’re vulnerable and how to mitigate risk.

#
Vulnerabilities
#
DAST
#
AI Penetration Testing
February 16, 2026
Vulnerabilities & Threats

npm backdoor lets hackers hijack gambling outcomes

A targeted npm supply chain attack installs an Express backdoor, enables remote SQL/file access, and rewrites gambling balances while keeping logs consistent.

DevSec Tools & Comparisons
See all
See all
August 19, 2025
DevSec Tools & Comparisons

Top 12 Dynamic Application Security Testing (DAST) Tools in 2026

Discover the 12 top best Dynamic Application Security Testing (DAST) tools in 2026. Compare features, pros, cons, and integrations to choose the right DAST solution for your DevSecOps pipeline.

#
Tools
#
DAST
July 18, 2025
DevSec Tools & Comparisons

Top 13 Container Scanning Tools in 2026

Discover the best 13 Container Scanning tools in 2026. Compare features, pros, cons, and integrations to choose the right solution for your DevSecOps pipeline.

#
Tools
#
Container Scanning
July 17, 2025
DevSec Tools & Comparisons

Top 10 Software Composition Analysis (SCA) tools in 2026

SCA tools are our best line of defense for open-source security, this article explores the top 10 open-source dependency scanners for 2026

#
Tools
#
SCA
Guides & Best Practices
See all
See all
March 6, 2026
Guides & Best Practices

What continuous pentesting actually requires

Continuous pentesting promises real-time security validation, but most implementations fall short. Here’s what continuous pentesting actually requires—from change-aware testing to exploit validation and remediation loops.

March 3, 2026
Guides & Best Practices

Rare Not Random: Using Token Efficiency for Secrets Scanning

Entropy often struggles with generic secrets and short strings. We look at how token efficiency can better identify strings that don’t look like normal text.

#
AppSec
January 16, 2026
Guides & Best Practices

The CISO Vibe Coding Checklist for Security

A practical security checklist for CISOs managing AI and vibe-coded applications. Covers technical guardrails, AI controls, and organizational policies.

#
Vibe Coding

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

Start Scanning
No CC required
Book a demo
No credit card required | Scan results in 32secs.