.avif)
Vulnerabilities & Threats
The Wild West of VS Code extensions and how a poisoned extension breached GitHub
A poisoned VS Code extension breached GitHub yesterday, one day after Nx Console (2.2M installs) was compromised for 18 minutes on the Visual Studio Marketplace and reached every user with auto-update on.
Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systems
.png)
Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages
The Mini Shai-Hulud npm worm has hit Alibaba's @antv packages, echarts-for-react, and timeago.js. The payload steals CI/CD secrets, plants backdoors in VS Code and Claude Code, and spreads by republishing compromised packages. Here is what happened and how to protect your team.
Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm
Malware found in @bitwarden/cli v2026.4.0 steals SSH keys, cloud secrets, and AI coding tool credentials, then spreads through victims' own npm packages. Inside: a worm calling itself "Shai-Hulud: The Third Coming."
GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays
A newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers, turning them into relay nodes for LLM traffic.
Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow
Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.
Axios CVE-2026-40175: a critical bug that’s… not exploitable
Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.
GlassWorm goes native: New Zig dropper infects every IDE on your machine
GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.
Aikido Attack finds multiple 0-days in Hoppscotch
Aikido’s AI pentesting agents discovered multiple high-severity vulnerabilities in Hoppscotch, including account takeover, stored XSS, and access control flaws. All issues are now patched.
axios compromised on npm: maintainer account hijacked, RAT deployed
Malicious axios versions 1.14.1 and 0.30.4 were published via a hijacked maintainer account. A hidden dependency deploys a cross-platform RAT. Check if you are affected and remediate now.
Popular telnyx package compromised on PyPI by TeamPCP
The popular telnyx packageon PyPI, used by big AI companies, has been compromised by TeamPCP
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
