Vulnerabilities & Threats
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
Compromised Rust crate onering performs code exfiltration
The compromised onering Rust crate v1.4.1 on crates.io shipped a malicious build.rs that exfiltrates the diff of your latest commit to a hosted Sentry endpoint every time you build.
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System
Deep dive into binding.gyp, the often overlooked npm build file that can execute malicious code at install time through shell expansions, sandbox escapes, and compiler hijacking.
Red Hat npm Packages Compromised to Spread a Credential-Stealing Worm
Multiple official @redhat-cloud-services npm packages were compromised with a credential-stealing worm derived from the open-sourced Mini Shai-Hulud malware, targeting cloud credentials, and developer tooling across CI/CD pipelines.
Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens
A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.
Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer
Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.
Google API keys keep working after you delete them
Deleting a Google API key doesn't revoke it immediately. Our testing found successful authentications up to 23 minutes after deletion, and Google has declined to fix it.
The Wild West of VS Code extensions and how a poisoned extension breached GitHub
A poisoned VS Code extension breached GitHub yesterday, one day after Nx Console (2.2M installs) was compromised for 18 minutes on the Visual Studio Marketplace and reached every user with auto-update on.
GitHub breached via a malicious VS Code extension: why developer devices are the real target
GitHub confirmed a poisoned VS Code extension compromised an employee device, exposing 3,800 internal repos. Why developer workstations are now the top supply chain target.
Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systems
Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages
The Mini Shai-Hulud npm worm has hit Alibaba's @antv packages, echarts-for-react, and timeago.js. The payload steals CI/CD secrets, plants backdoors in VS Code and Claude Code, and spreads by republishing compromised packages. Here is what happened and how to protect your team.
Vulnerabilities & Threats
Cut through the noise with real-world CVE breakdowns, malware analysis, exploits, and emerging risks.
Customer Stories
See how teams like yours are using Aikido to simplify security and ship with confidence.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
