Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The latest News and Information on Application Security including monitoring, testing, and open source.

Why traditional DAST Tools fail modern AppSec teams (and how to fix it)

For years, development and security practitioners have treated dynamic application security testing as a critical final safety check before code goes live. However, the external attack surface is expanding faster than mid-sized security teams can realistically manage. In this high-velocity environment, legacy DAST tools are increasingly failing to keep pace.

Predicting MongoDB ObjectId continuously in Rocket.Chat

Applications using MongoDB have a common pitfall of treating the ObjectId() function as cryptographically secure. Recently, we found Rocket.Chat, an open source Slack-like application, to be a victim of this. At Aikido, we run AI Pentests on various open source applications to test our agents and identify their strengths and improvement points. During the pentest, one of the agents reported that an unauthenticated Rocket.Chat user can access any uploaded file if they know its ID.

Authentication Bypass in the default configuration phpBB

June 10th, we announced a critical vulnerability in phpBB that lets attackers bypass authentication, now known as CVE-2026-48611. This post is a follow-up, containing technical details that explain exploit scenarios and detection methods. To get you up to speed, phpBB is an old forum software that's still being used today by various technical communities. phpBB's Site Showcase alone has over 6 million members.

AI Pentesting for Compliance

For two decades, “penetration testing” has meant the same thing: once a year, you hire a firm, a human tester spends a week or two on your systems, and you get a PDF. Most compliance frameworks were written around exactly that ritual, a slow, manual, point-in-time engagement. Software doesn’t ship once a year anymore. It ships many times a day.

And another one. GitHub ships break-glass credential revocation

Last week, GitHub released self-service credential revocation for Enterprise. The feature lets organization owners cut off compromised credentials across the entire organization in one action instead of trying to track down individual tokens during an active incident. This fix was a long time coming, as the past few months have shown what happens when revocation is slow or incomplete.

Top 10 Application Security Risks (2026 Edition)

You already know the threats are getting worse. What’s harder to articulate — especially to leadership — is exactly how they’re getting worse, and what’s slipping through the cracks in your current program. The application security risks your teams face in 2026 are not just more numerous than they were five years ago; they’re structurally different.

npm now freezes high-impact accounts after risky account changes

npm shipped a new protection this week for its most depended-on accounts. When npm detects a sensitive action on a high-impact account, like an email swap or the use of a 2FA recovery code, it puts that account into a 72-hour read-only state and sends an alert to the previous email address. The package installs and downloads keep working as normal during this time, and the freeze lifts automatically at the end of the waiting period.

Boost Security Workflows with Veracode Analytics | Secure Coding Challenges & Solutions

Struggling with inefficient secure coding workflows, lack of visibility into developer actions, and growing security debt? In this clip, Christian Dalomba breaks down the biggest challenges organizations face with secure development and shows how Veracode Fix Analytics helps you move beyond just finding vulnerabilities to actually fixing them faster and smarter. Key takeaways.

Compromised GitHub action codfish/semantic-release-action steals CI/CD secrets

On Jun 24, 2026, the codfish/semantic-release-action GitHub Action was compromised through an imposter commit attack. An attacker force-pushed two malicious commits into the repository and repointed sixteen tags to them, including the floating major version tags v2, v3, v4, and v5. Any workflow referencing the action by one of those tags will pull and run the attacker's code on its next CI run.

Aikido x Drydock | A way for maintainers to catch malware before it ships

Maintainers, this is for you. We're partnering with Drydock so maintainers can see exactly what's inside a package before they approve it, catching malware before it ships instead of disclosing it after. Drydock lets you read the actual bytes of a staged release before it goes live, so bad versions get caught at approval rather than in a post-mortem. For npm and PyPI maintainers, Drydock is available at no cost.