
.avif)
Vulnerabilities & Threats

AsyncAPI npm packages backdoored via GitHub Actions
Five package versions, including specs at roughly 2 million weekly downloads, shipped an obfuscated dropper on 2026-07-14. Here is what we have confirmed so far.

Multiple JetBrains IDE plugins caught stealing AI keys
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.
.jpg)
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised
The threat actor behind “Shai Hulud 2.0” launched a new malware campaign compromising the supply chain of Zapier, ENS Domains and more — exposing secrets, injecting malicious code, and enabling widespread developer-environment takeover.
Invisible Unicode Malware Strikes OpenVSX, Again
Another wave of Open VSX extensions were compromised today.
The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties
Threat actors are using Unprintable Unicode Characters to
Bugs in Shai-Hulud: Debugging the Desert
The Shai Hulud worm had some bugs of its own, and required patching by the attackers. We also look at a timeline of events, to see how it unfolded.
S1ngularity/nx attackers strike again
The attackers behind the nx attack have struck again, targeting a large amount of packages, with a first-of-its-kind worm payload.
We Got Lucky: The Supply Chain Disaster That Almost Happened
Eighteen widely used open source packages were compromised, downloaded billions of times and embedded across nearly every cloud environment. The community dodged a bullet. But this close call shows just how fragile our software supply chain really is.
duckdb npm packages compromised
The popular package duckdb was compromised by same attackers that hit debug and chalk
npm debug and chalk packages compromised
The popular packages debug and chalk on npm have been compromised with malicious code
Without a Dependency Graph Across Code, Containers, and Cloud, You’re Blind to Real Vulnerabilities
Stop drowning in CVEs. Without a dependency graph across code, containers, and cloud, you’ll miss real vulnerabilities and chase false positives
Popular nx packages compromised on npm
The popular nx package on npm was compromised, and stolen data was published on GitHub publicly
WTF is Vibe Coding Security? Risks, Examples, and How to Stay Safe
Vibe coding is the new AI coding trend where anyone can spin up an app in hours. But from Replit’s database wipe to exposed tea apps, the risks are real. Learn what vibe coding security means, the difference from agentic coding, and how CISOs can keep the vibes without the vulnerabilities.
Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

