
.avif)
Vulnerabilities & Threats

AsyncAPI npm packages backdoored via GitHub Actions
Five package versions, including specs at roughly 2 million weekly downloads, shipped an obfuscated dropper on 2026-07-14. Here is what we have confirmed so far.

Multiple JetBrains IDE plugins caught stealing AI keys
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.
.jpg)
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
AsyncAPI npm packages backdoored via GitHub Actions
Five package versions, including specs at roughly 2 million weekly downloads, shipped an obfuscated dropper on 2026-07-14. Here is what we have confirmed so far.
Compromised @injectivelabs/sdk-ts exfiltrates wallet keys through fake telemetry
A malicious release of @injectivelabs/sdk-ts hid a wallet-key stealer inside code labeled as usage telemetry, then spread it across 17 more npm packages. Here's how it worked and how to check your projects.
Predicting MongoDB ObjectId continuously in Rocket.Chat
Aikido's AI pentester found this file-access flaw in Rocket.Chat. A closer look at MongoDB's ObjectId showed the weak randomness that makes it exploitable.
Authentication Bypass in the default configuration phpBB
Our AI pentest agents found a critical phpBB auth bypass (CVE-2026-48611): one unauthenticated request logs you into any account. See the exploit and the fix.
Compromised GitHub action codfish/semantic-release-action steals CI/CD secrets
codfish/semantic-release-action was compromised on June 24, 2026. Attackers repointed v2–v5 tags to a Miasma credential-stealing payload targeting CI/CD secrets. Here's what happened and how to check if you're affected.
Over 140 popular Mastra npm Packages Hit by Supply Chain Attack
141 Mastra npm packages were compromised in a supply chain attack that injected a malicious dependency to silently download and execute a payload at install time.
Multiple JetBrains IDE plugins caught stealing AI keys
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.
Compromised Rust crate onering performs code exfiltration
The compromised onering Rust crate v1.4.1 on crates.io shipped a malicious build.rs that exfiltrates the diff of your latest commit to a hosted Sentry endpoint every time you build.
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System
Deep dive into binding.gyp, the often overlooked npm build file that can execute malicious code at install time through shell expansions, sandbox escapes, and compiler hijacking.
Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.
Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

