aikido.dev
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-30.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-30 2026 | Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret StealerSupply Chain | Library detailing "Mini Shai-Hulud," a Bun-based secret stealer targeting SAP npm packages like `@cap-js/sqlite`, `@cap-js/postgres`, `@cap-js/db-service`, and `mbt`. The malware uses a `preinstall` script to download and execute a credential stealer, harvesting GitHub tokens, npm tokens, cloud secrets from AWS, Azure, GCP, and Kubernetes, and exfiltrating encrypted results via public GitHub repositories. It propagates by injecting malicious code into other packages and commits. |
| 2026-04-29 2026 | Bug bounty isnt dead but the old model is breakingBug Bounty | Analysis of the bug bounty model's evolution, discussing the impact of AI on report generation and validation costs, leading to programs like IBB pausing submissions and curl removing payouts. It highlights the shift from incentivized disclosure to expected disclosure, with a potential focus on more targeted rewards and better security outcomes rather than sheer report volume. |
| 2026-04-21 2026 | Introducing Endpoint Protection: Security for Developer DevicesSupply Chain | Library for protecting developer devices against software supply chain attacks. It prevents malicious package installs, IDE extensions, browser plug-ins, and AI skills by offering visibility into installed software, blocking threats before installation, enforcing package age policies, and enabling approval workflows. Built upon the open-source Safe Chain project and powered by the LLM-based Aikido Intel threat intelligence engine, it aims to secure developer workstations without hindering productivity, addressing vulnerabilities exemplified by the Shai-Hulud and Axios attacks. |
| 2026-04-17 2026 | Multiple Cross-Site Scripting (XSS) Vulnerabilities in MailcowXSS | Library detailing three XSS vulnerabilities found in Mailcow, including a critical unauthenticated flaw affecting administrator accounts via Autodiscover logs (GHSA-f9xf-vc72-rcgm). Another XSS targets administrators through attachment filenames in the Quarantine feature (GHSA-2xjc-rg88-jvpp), and a Self-XSS in Login History is escalated via Login CSRF (GHSA-jprq-w83q-q62h). All issues have been fixed since version 2026-03b. |
| 2026-04-17 2026 | IDOR Vulnerability Explained: Why IDOR Persists (Aikido)IDOR | Library for identifying Insecure Direct Object References (IDORs), a prevalent vulnerability in modern, API-driven applications. This resource details how IDORs manifest in practice, why traditional testing methods and DAST tools often miss them, and the limitations of static analysis in detecting these contextual authorization failures. It highlights that IDORs, also known as Broken Object Level Authorization (BOLA) in APIs, persist due to evolving system design and the assumption of ownership rather than revalidation, leading to potential data breaches and unauthorized modifications. |
| 2026-04-17 2026 | Prisma and PostgreSQL vulnerable to NoSQL injection? (Aikido)GraphQL | Library vulnerability analysis demonstrating how Prisma ORM, even with PostgreSQL, is susceptible to operator injection, commonly known as NoSQL injection. This occurs when user input is passed to query functions supporting string-based operators, such as `findFirst`, `findMany`, `updateMany`, and `deleteMany`. The analysis highlights exploits and recommends prevention techniques including casting user input to primitive data types, implementing robust server-side validation with libraries like Zod, and keeping ORMs like Prisma and Sequelize updated to benefit from security fixes. |
| 2026-04-10 2026 | Best Secret Scanning Tools in 2025Secrets | Library for detecting hard-coded secrets in code, configurations, and cloud infrastructure. It utilizes pattern recognition, entropy checks, and AI to identify sensitive data like API keys and passwords, aiming to prevent data breaches by automating detection and remediation. Notable features include context-aware detection correlating secrets with other vulnerabilities, one-click remediation for many secret types, and integration into developer workflows via IDE extensions and pre-commit hooks. The library supports broad scanning across Git repositories, container images, and cloud environments, offering a free tier for basic use. |
| 2026-04-10 2026 | n8n Critical Vulnerability (CVE-2026-21858): Unauthenticated RCERCE | Writeup of CVE-2026-21858, an unauthenticated RCE in n8n, allowing full compromise of locally deployed instances through arbitrary file access, authentication bypass, and command execution. Discovered by Cyera Research Labs and nicknamed 'Ni8mare', this vulnerability highlights automation platforms as high-impact attack surfaces. Remediation involves upgrading n8n, restricting exposure of Forms and Webhooks, and reviewing workflow configurations. |
| 2026-04-03 2026 | Python Security Vulnerabilities | Top Issues | AikidoPython | Library for identifying and mitigating common Python security vulnerabilities. It details risks like arbitrary code execution via `eval()` and `exec()`, OS command injection through `subprocess` and `os.system`, and the dangers of hardcoded secrets. The library emphasizes practical mitigation techniques, such as avoiding unsafe function usage, using argument lists with `subprocess`, and employing secure secret management practices. It highlights how SAST tools can detect these patterns early in development. |
| 2026-03-14 2026 | Persistent XSS/RCE using WebSockets in Storybooks dev serverXSS | Library of JavaScript code and examples addressing CVE-2026-27148, a high-severity WebSocket hijacking vulnerability in Storybook's dev server. This vulnerability can lead to persistent Cross-Site Scripting (XSS) and Remote Code Execution (RCE) by allowing attackers to inject malicious code into story files. Exploitation can occur via publicly exposed dev servers or through a malicious webpage visited by a developer running a local instance, potentially compromising credentials, system access, and network resources, and even propagating through version control and CI/CD pipelines. |
| 2026-02-23 2026 | Astro SSRF Vulnerability: Host Header Injection in SSR Error Pages (CVE-2026-25545)SSRF | Library for detecting Astro SSRF vulnerabilities, specifically CVE-2026-25545, caused by Host header injection in SSR error pages. This vulnerability allows attackers to craft requests that trick the Astro server into fetching arbitrary internal URLs, potentially exposing sensitive data. Exploitation requires SSR mode, an unsanitized Host header, and a configured custom error page (like `404.astro`). Patched versions include astro@5.17.2, @astrojs/node@9.5.3, and astro@6.0.0-beta.11. |