aikido.dev
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-26.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-26 2026 | Why developer machines are now the number one target for supply chain attacksSupply Chain | Library providing enhanced security for developer machines, addressing the growing threat of supply chain attacks targeting workstations. It extends visibility beyond package registries to include IDE extensions, browser plugins, and AI tools, offering granular telemetry to detect and prevent vulnerabilities before they impact production. Examples mentioned include attacks via malicious VS Code extensions, Trivy, and compromised packages, highlighting the limitations of traditional EDR tools in monitoring developer environments. |
| 2026-05-23 2026 | Supply Chain Attack Targets Laravel-Lang Packages with Credential StealerSupply Chain | Library detecting a supply chain attack targeting Laravel-Lang packages, where malicious version tags pointed to a fork containing credential-stealing code. This malware, delivered via composer's autoloader, collects AWS, GCP, Azure, and other cloud credentials, infrastructure secrets, developer keys, browser passwords, cryptocurrency wallet files, and VPN configurations. The attack was reported to Packagist and Aikido provides detection and prevention tools, including Aikido Safe Chain for intercepting package installations. |
| 2026-05-20 2026 | GitHub breached via a malicious VS Code extension: why developer devices are the real targetSupply Chain | Library for on-device application security, Aikido Device Protection, combats threats from trusted developer tooling like VS Code extensions. It features real-time malware blocking by checking against a live feed and a configurable minimum age policy, preventing installation of recently published or updated packages within a set timeframe. This approach protects against attacks like the compromised Nx Console extension and Durable Task Python SDK by enforcing security at the workstation, independent of network controls and beyond the scope of traditional EDR solutions. |
| 2026-05-20 2026 | Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!Python | Library versions 1.4.1, 1.4.2, and 1.4.3 of Microsoft's `durabletask` Python package on PyPI were compromised with a dropper that executes a sophisticated infostealer and worm. This payload targets credentials from cloud providers, password managers, and developer tools, propagating via SSM or kubectl in cloud environments. It also includes a destructive component triggered by specific system locales. The malware exfiltrates data encrypted with an RSA key and utilizes a GitHub-based dead-drop for command and control. |
| 2026-04-30 2026 | Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret StealerSupply Chain | Library detailing "Mini Shai-Hulud," a Bun-based secret stealer targeting SAP npm packages like `@cap-js/sqlite`, `@cap-js/postgres`, `@cap-js/db-service`, and `mbt`. The malware uses a `preinstall` script to download and execute a credential stealer, harvesting GitHub tokens, npm tokens, cloud secrets from AWS, Azure, GCP, and Kubernetes, and exfiltrating encrypted results via public GitHub repositories. It propagates by injecting malicious code into other packages and commits. |
| 2026-04-29 2026 | Bug bounty isnt dead but the old model is breakingBug Bounty | Analysis of the bug bounty model's evolution, discussing the impact of AI on report generation and validation costs, leading to programs like IBB pausing submissions and curl removing payouts. It highlights the shift from incentivized disclosure to expected disclosure, with a potential focus on more targeted rewards and better security outcomes rather than sheer report volume. |
| 2026-04-21 2026 | Introducing Endpoint Protection: Security for Developer DevicesSupply Chain | Library for protecting developer devices against software supply chain attacks. It prevents malicious package installs, IDE extensions, browser plug-ins, and AI skills by offering visibility into installed software, blocking threats before installation, enforcing package age policies, and enabling approval workflows. Built upon the open-source Safe Chain project and powered by the LLM-based Aikido Intel threat intelligence engine, it aims to secure developer workstations without hindering productivity, addressing vulnerabilities exemplified by the Shai-Hulud and Axios attacks. |
| 2026-04-17 2026 | Multiple Cross-Site Scripting (XSS) Vulnerabilities in MailcowXSS | Library detailing three XSS vulnerabilities found in Mailcow, including a critical unauthenticated flaw affecting administrator accounts via Autodiscover logs (GHSA-f9xf-vc72-rcgm). Another XSS targets administrators through attachment filenames in the Quarantine feature (GHSA-2xjc-rg88-jvpp), and a Self-XSS in Login History is escalated via Login CSRF (GHSA-jprq-w83q-q62h). All issues have been fixed since version 2026-03b. |
| 2026-04-17 2026 | IDOR Vulnerability Explained: Why IDOR Persists (Aikido)IDOR | Library for identifying Insecure Direct Object References (IDORs), a prevalent vulnerability in modern, API-driven applications. This resource details how IDORs manifest in practice, why traditional testing methods and DAST tools often miss them, and the limitations of static analysis in detecting these contextual authorization failures. It highlights that IDORs, also known as Broken Object Level Authorization (BOLA) in APIs, persist due to evolving system design and the assumption of ownership rather than revalidation, leading to potential data breaches and unauthorized modifications. |
| 2026-04-17 2026 | Prisma and PostgreSQL vulnerable to NoSQL injection? (Aikido)GraphQL | Library vulnerability analysis demonstrating how Prisma ORM, even with PostgreSQL, is susceptible to operator injection, commonly known as NoSQL injection. This occurs when user input is passed to query functions supporting string-based operators, such as `findFirst`, `findMany`, `updateMany`, and `deleteMany`. The analysis highlights exploits and recommends prevention techniques including casting user input to primitive data types, implementing robust server-side validation with libraries like Zod, and keeping ORMs like Prisma and Sequelize updated to benefit from security fixes. |
| 2026-04-10 2026 | Best Secret Scanning Tools in 2025Secrets | Library for detecting hard-coded secrets in code, configurations, and cloud infrastructure. It utilizes pattern recognition, entropy checks, and AI to identify sensitive data like API keys and passwords, aiming to prevent data breaches by automating detection and remediation. Notable features include context-aware detection correlating secrets with other vulnerabilities, one-click remediation for many secret types, and integration into developer workflows via IDE extensions and pre-commit hooks. The library supports broad scanning across Git repositories, container images, and cloud environments, offering a free tier for basic use. |
| 2026-04-10 2026 | n8n Critical Vulnerability (CVE-2026-21858): Unauthenticated RCERCE | Writeup of CVE-2026-21858, an unauthenticated RCE in n8n, allowing full compromise of locally deployed instances through arbitrary file access, authentication bypass, and command execution. Discovered by Cyera Research Labs and nicknamed 'Ni8mare', this vulnerability highlights automation platforms as high-impact attack surfaces. Remediation involves upgrading n8n, restricting exposure of Forms and Webhooks, and reviewing workflow configurations. |
| 2026-04-03 2026 | Python Security Vulnerabilities | Top Issues | AikidoPython | Library for identifying and mitigating common Python security vulnerabilities. It details risks like arbitrary code execution via `eval()` and `exec()`, OS command injection through `subprocess` and `os.system`, and the dangers of hardcoded secrets. The library emphasizes practical mitigation techniques, such as avoiding unsafe function usage, using argument lists with `subprocess`, and employing secure secret management practices. It highlights how SAST tools can detect these patterns early in development. |
| 2026-03-14 2026 | Persistent XSS/RCE using WebSockets in Storybooks dev serverXSS | Library of JavaScript code and examples addressing CVE-2026-27148, a high-severity WebSocket hijacking vulnerability in Storybook's dev server. This vulnerability can lead to persistent Cross-Site Scripting (XSS) and Remote Code Execution (RCE) by allowing attackers to inject malicious code into story files. Exploitation can occur via publicly exposed dev servers or through a malicious webpage visited by a developer running a local instance, potentially compromising credentials, system access, and network resources, and even propagating through version control and CI/CD pipelines. |
| 2026-02-23 2026 | Astro SSRF Vulnerability: Host Header Injection in SSR Error Pages (CVE-2026-25545)SSRF | Library for detecting Astro SSRF vulnerabilities, specifically CVE-2026-25545, caused by Host header injection in SSR error pages. This vulnerability allows attackers to craft requests that trick the Astro server into fetching arbitrary internal URLs, potentially exposing sensitive data. Exploitation requires SSR mode, an unsanitized Host header, and a configured custom error page (like `404.astro`). Patched versions include astro@5.17.2, @astrojs/node@9.5.3, and astro@6.0.0-beta.11. |