From “no bullsh*t security” to $1 billion valuation in three years.

Announcing $60M Series B at $1B led by Tom Stafford at DST Global.

What’s next? Self-securing software.
Stay tuned.

Nope, there's been nothing, luckily!

Shai Hulud 2.0: What the Unknown Wonderer Reveals About the Attackers’ Endgame New research into the Shai Hulud 2.0 malware suggests the username UnknownWonderer1 tells us more about the attackers’ endgame.

🚨 New blog post! Shai Hulud 2.0 isn’t just another supply-chain attack. It’s a worm with intent, symbolism, and a message about how fragile our ecosystem has become.

The attacker’s alias “Unknown Wonderer” might be the biggest clue yet.

Read more: www.aikido.dev/blog/shai-hu...

The threat actors behind Shai Hulud has struck again, hitting Zapier and Ensdomains A new variant of Shai Hulud has hit Zapier and Ensdomains

Shai Hulud strikes again. Our estimate right now is that 410 packages, and counting, have been compromised. And we're seeing 24.7k GitHub repos with tokens:

www.aikido.dev/blog/shai-hu...

NPM supply chain attacks with Charlie Eriksen Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with ...

I had a chat with @charlieeriksen.bsky.social about the recent NPM attacks

We chat about what happened (now that the dust settled), and we discuss what's next.

Charlie is doing some great work in this space, he understands the problem better than most

Discovering Shai-Hulud and the Struggle to Raise the Alarm: Bad Dependencies ft Daniel Pereira YouTube video by Aikido Security

@advocatemack.bsky.social and I interviewed Daniel Pereira, who was the first to notice the Shai Hulud campaign.

www.youtube.com/watch?v=I--i...

Bugs in Shai-Hulud: Debugging the Desert The Shai Hulud worm had some bugs of its own, and required patching by the attackers. We also look at a timeline of events, to see how it unfolded.

I published a blog post with more data on how the Shai-Hulud attack unfolded. Evidence pointing to the fact that most packages were uploaded by the attackers, rather than being organically infected. And the mistakes the attackers made.

www.aikido.dev/blog/bugs-in...

Good call. We've fixed the versions, and the dev team is having a conversation to see how close to 0 dependencies they can get.

Thanks! 🙏

S1ngularity/nx attackers strike again The attackers behind the nx attack have struck again, targeting a large amount of packages

The attackers behind the S1ngularity/Nx attack strike again, this time with Shai Hulud: a proper self-propagating worm targeting the npm ecosystem.

www.aikido.dev/blog/s1ngula...

We Got Lucky: The Supply Chain Disaster That Almost Happened Eighteen widely used open source packages were compromised, downloaded billions of times and embedded across nearly every cloud environment. The community dodged a bullet. But this close call shows ju...

Yesterday, @advocatemack.bsky.social and I sat down with @bad-at-computer.bsky.social to discuss the incident that occurred on Monday, in which popular packages like debug and chalk were compromised. Here's my take on it, along with the entire ~45-minute conversation.

www.aikido.dev/blog/we-got-...

Sorry, not sorry 🙃

Le maintainer: “I’ve been pwned. Sorry everyone, very embarrassing.”

Brian Krebs covered the npm supply chain compromise, featuring insights from our own @charlieeriksen.bsky.social, who broke the news.

Full article → krebsonsecurity.com/2025/09/18-p...

@bad-at-computer.bsky.social Would you be open to chatting with us (@advocatemack.bsky.social) for our Bad Dependencies podcast to discuss your experience as a maintainer? I think it'd be fascinating to hear the more "human" side to this :)

duckdb npm packages compromised The popular package duckdb was compromised by same attackers that hit debug and chalk

The attackers who hit debug and chalk have now also compromised the DuckDB packages. What a weird situation.

www.aikido.dev/blog/duckdb-...

Sleep well! I can't imagine the amount of stress you must have felt. But you did right by the community. Thank you! ❤️

I figured. The process with npm is quite slow and frustrating a lot of the time :(

Yes, the npm abuse/reporting system leaves a lot to be desired.

npm debug and chalk packages compromised The popular packages debug and chalk on npm have been compromised with malicious code

www.aikido.dev/blog/npm-deb... :)

For reference, simple-swizzle is still compromised :(

Yep, I've been pwned. 2FA reset email, looked very legitimate.

Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.

Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.

What was the email address it came from? Did you invalidate all tokens on the account too? Attackers tend to leave those as backdoors.

@bad-at-computer.bsky.social Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages.

Introducing Aikido SafeChain 🔒⛓️

SafeChain wraps every npm, yarn, pnpm, and npx install. It blocks malware in real time, with zero changes to your workflow.

Free. Open Source. Powered by Aikido Intel.

Don’t trust your terminal. Defend it.