|
By Samuel Vandamme
Most security teams check the EDR box, check the proxy box, and move on. Against supply chain malware, neither provides meaningful protection because they were built for a different problem. Traditional malware has a way of sneaking onto a machine, whereas supply chain malware gets invited. The developer runs npm install, and the malicious code lands with full permission to execute. That inversion breaks both tools at the design level.
|
By Dania Durnas
Mythos doesn’t need to be treated as the biggest and baddest in the room. Don’t get me wrong. Depending on the benchmark you’re evaluating against, Mythos is among the top models available today, and generally the best at reasoning. But it’s not leaps and bounds ahead of the race. And when it comes to practical use cases, throwing a general model, even a cutting-edge frontier model, at a problem doesn’t get the best results. Nor is it scalable or cost-effective.
|
By Nicholas Thomson
Mobile Device Management (MDM) is a type of software used by organizations to secure, manage, and monitor their employees' mobile devices. Tools like Jamf, Kandji, and Microsoft Intune give IT teams visibility and control over every sanctioned application across the fleet. For compliance frameworks like SOC 2 or ISO 27001, MDM is often a core component of how you demonstrate device control and ensure data security. If your MDM is deployed, congratulations, you've solved 2012's BYOD security challenge.
|
By Charlie Eriksen
There's a new playbook in the supply chain threat landscape, where an someone builds something genuinely useful, growing a real user base. But all while stealing credentials. codexui-android is a remote web UI for OpenAI Codex. Real GitHub repo. Active development. Polished enough to get 27.000 weekly downloads. And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server.
|
By Ilyas Makari
On May 22, 2026, we detected an active supply chain attack against Laravel-Lang. We filed a report with the maintainers immediately. The attacker published malicious version tags across three widely used repositories, injecting credential-stealing code that loads automatically via composer’s autoloader feature. What makes this particularly sneaky is that the malicious code was never committed to the official repos at all.
|
By Nicholas Thomson
This post is based on Mackenzie's conversation with Noora Ahmed-Moshe on The Secure Disclosure podcast. Listen to the full episode. A company lost a million dollars because someone on a litigation call ran an AI note-taker. As behavioral scientist Noora Ahmed-Moshe explains on the podcast, the tool summarized a confidential conversation and sent it to the opposing party, who used it to force a settlement on their terms.
|
By Raphael Silva
Mini Shai-Hulud is back. Like I said before, we were yet to see the full scale of the attack. The npm campaign we covered in April, when it targeted SAP packages, has now turned into a much larger compromise. Our Malware Team detected 373 malicious package-version entries across 169 npm package names. The basic goal is still the same: steal credentials from developer machines and CI/CD runners, then use those credentials to reach more packages. What changed is the scale and the release path.
|
By Dania Durnas
GitHub Actions has been exploited a lot in a lot of supply chain attacks lately, and workflow misconfigurations have played big roles. It's dangerous to go alone!
|
By Mike Wilkes
Large engineering organizations like to believe their biggest problems are technical. If only someone would approve the budget for the latest tool, everything would be solved. Lately, the prevailing bet is that the silver bullet is vibe coding powered by your favorite flavor of LLM. But the pathologies of large organizations are rarely technical in nature.
|
By Mike Wilkes
The Anthropic Glasswing initiative brings together Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks as launch partners. You can find a lot of posts and reactions on social media as it is definitely a big deal that Anthropic is keeping their Mythos Preview model out of general access.
- June 2026 (2)
- May 2026 (8)
- April 2026 (7)
- March 2026 (7)
- February 2026 (8)
- January 2026 (3)
- December 2025 (4)
- November 2025 (5)
- October 2025 (2)
- September 2025 (7)
- August 2025 (3)
- July 2025 (3)
- June 2025 (5)
- May 2025 (9)
- April 2025 (3)
- March 2025 (5)
- February 2025 (1)
- January 2025 (5)
- December 2024 (5)
- November 2024 (6)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (5)
- May 2024 (3)
- April 2024 (1)
- March 2024 (1)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (4)
- October 2023 (1)
Aikido Security is an automated application security platform designed specifically for software engineering teams.
We secure your entire stack - code, open-source dependencies, infrastructure, and more and integrate into your existing workflows to provide visibility and control across your entire application infrastructure.
Our goal is to simplify security for developers through features like auto-triage of vulnerabilities, tied to whether the vulnerable code is actually used. This cuts through the noise, enabling engineering teams to focus on what matters most. Trusted by leading technology companies and validated by security experts, Aikido is the easiest way to implement application security monitoring and achieve compliance with regulations like ISO & SOC2.
We focus on the developer experience, allowing engineering teams to fix critical problems without security getting in the way of building.
The only platform that satisfies all code & cloud security needs for scaling dev teams.