aikido | no bullsh*t security for devs

Honored for protecting 2 billion requests per month. Because apparently, that’s plaque-worthy.

State of AI in Security & Development 2026: CISOs & Devs Respond to AI Risks 450 CISOs and developers reveal how AI is reshaping security and software development, and how teams are responding to new risks and real breaches.

Key findings:
• 1 in 5 have faced a serious breach linked to AI code
• 96% believe AI will one day write secure code
• 65% say false positives are driving risky behavior

Read the full report -> www.aikido.dev/state-of-ai-...

⚡️JUST DROPPED: The State of AI in Security & Development
We asked 450 CISOs, AppSec engineers and developers across Europe and the US how AI is changing the way we build and secure software.

Aikido Attack | Autonomous AI Pentests Audit-ready pentests without the wait. Full report in days, instant retests, low cost, and continuous validation powered by AI agents.

We’re entering a new chapter in pentesting and we’re excited to have the teams from Allseek and Haicker with us on this journey.

Get early access → www.aikido.dev/attack/aipen...

Breaking: Allseek and Haicker are joining Aikido

Together we’re launching Aikido Attack, autonomous pentests that think like hackers and run in hours, not weeks.

We’re entering a new chapter in pentesting and we’re excited to have the teams from Allseek and Haicker with us on this journey.

Did you catch the premiere? → aikido.dev/meetjarno

Here are a few places where Jarno does interviews, the rest are better left offline. But you can always meet him and ask -> aikido.dev/meetjarno

How did we scale from 30 to 140 team members in a year? Simple.
Always be recruiting.

Have you met Jarno? → aikido.dev/meetjarno

#1 Product of the Day, #3 Developer Tool of the Week.

Crushed it.

🍿

Secure everything you build, host, and run. Aikido now launching at #1 on Product Hunt 🔥

Please upvote here → www.producthunt.com/products/aik...

tHe biGGesT sUpplY cHaiN atTAck iN hISTory!!!!!11

safe chain stars went brrr
Free to use. Open source.

a phishing message tied to the newly registered phishing domain npmjs[.]help, which is a tld away from NPM's real login page, npmjs.com. npm <support@npmjs.help> 08:47 (55 minutes ago) to marsup ¥ Inbox © ® O <& Reply Actionsv Hi, marsup! As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials. Our records indicate that it has been over 12 months since your last 2FA update. To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access. Update 2FA Now 1f you have any questions or require assistance, our support team is available to help. You may contact us through this link. Preferences - Terms - Privacy - Sign in to npm

New, from me:

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The […]

[Original post on infosec.exchange]

duckdb npm packages compromised The popular package duckdb was compromised by same attackers that hit debug and chalk

it appears the same attackers also compromised the JavaScript package duckdb (~350k downloads a week):

https://www.aikido.dev/blog/duckdb-npm-packages-compromised

Le maintainer: “I’ve been pwned. Sorry everyone, very embarrassing.”

Brian Krebs covered the npm supply chain compromise, featuring insights from our own @charlieeriksen.bsky.social, who broke the news.

Full article → krebsonsecurity.com/2025/09/18-p...

MAINTAINER UPDATE: The maintainer of debug & chalk has taken down the packages and locked down his account; some packages remain affected.

The phishing email used to target debug/chalk was 'support [at] npmjs [dot] help'

Update! The goal of the attacker is crypto.

with a combined 2 billion weekly downloads, this is one of the largest supply chain attacks in npm history

• supports-color (287.1m downloads per week)
• strip-ansi (261.17m downloads per week)
• chalk (299.99m downloads per week)
• debug (357.6m downloads per week)
• ansi-styles (371.41m downloads per week)

• error-ex (47.17m downloads per week)
• color-name (191.71m downloads per week)
• is-arrayish (73.8m downloads per week)
• slice-ansi (59.8m downloads per week)
• color-convert (193.5m downloads per week)
• wrap-ansi (197.99m downloads per week)
• ansi-regex (243.64m downloads per week)

• backslash (0.26m downloads per week)
• chalk-template (3.9m downloads per week)
• supports-hyperlinks (19.2m downloads per week)
• has-ansi (12.1m downloads per week)
• simple-swizzle (26.26m downloads per week)
• color-string (27.48m downloads per week)

UPDATE: A massive supply-chain compromise has affected packages with over 2 billion weekly downloads owned by the popular maintainer qix

These include:
• ansi-regex (243.64m downloads per week)
• supports-color (287.1m downloads per week)
• strip-ansi (261.17m downloads per week)

🚨URGENT: A series of popular packages maintained by qix have just been compromised.

Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1

YouTube video by The Secure Disclosure | Cyber, Sake, More. The Future of Code Reviews in the AI Era – Cyber & Sake Podcast Clip with Khachatur Virabyan

Trag is now part of Aikido. We sat down with Trag co-founder to talk AI, code quality, and what the future looks like. And yes… there was sake involved.

Full episode → www.youtube.com/watch?v=zUxe...

In Khachatur’s words: “We didn’t make cars smaller so they could squeeze between trees, we built roads so we could drive them everywhere. AI code generation is the car. Together, we’re building the road.”

Happening this Thursday ❤️‍🔥
We’re back with the next edition of ~all vibes /no vulns.

Hosted by our own Mackenzie Jackson, with special guests Igor A. (CISO @ Lovable) and Bil Harmer (CISO @ Supabase).

Together we’ll build, hack, and secure an app in real time.

Join us → luma.com/lovablexaiki...

The wait is over. Aikido Code Quality is live.

Our favorite part? Roast mode. 🥵
Activate at your own risk → aikido.dev/quality

Popular nx packages compromised on npm The popular nx package on npm was compromised, and stolen data was published on GitHub publicly

A clean version has since been published 21.4.1

• Check if you use this project npm ls nx
• Uninstall any malicious versions npm uninstall nx && npm install nx@latest
• Clear cache; rotate creds and tokens.

Full advisory - www.aikido.dev/blog/popular...

🚨 ALERT: The NPM package NX has been compromised (4.6m weekly downloads) - malicious versions (v20.9–20.12 & 21.5–21.8) were published on Aug 26 2025.

The compromised packages have a postinstall script that scans for credentials and post them to the users GitHub account.

Happening TOMORROW.
Willem Delbare (CEO & Co-founder, Aikido) and Khachatur V. (CEO & Co-founder, Trag) go live to talk about the future of code review.

Quality code is secure code. Let’s talk about it → lu.ma/aikidoxtrag