惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyberwarzone
Cyberwarzone
V
Vulnerabilities – Threatpost
T
Tenable Blog
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
G
GRAHAM CLULEY
Know Your Adversary
Know Your Adversary
S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
Project Zero
Project Zero
C
CXSECURITY Database RSS Feed - CXSecurity.com
V
Visual Studio Blog
WordPress大学
WordPress大学
Latest news
Latest news
K
Kaspersky official blog
T
Tailwind CSS Blog
T
Threat Research - Cisco Blogs
B
Blog RSS Feed
C
Cisco Blogs
博客园 - 聂微东
Martin Fowler
Martin Fowler
T
The Blog of Author Tim Ferriss
小众软件
小众软件
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 热门话题
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
P
Proofpoint News Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Privacy International News Feed
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
CERT Recently Published Vulnerability Notes
Cisco Talos Blog
Cisco Talos Blog
S
SegmentFault 最新的问题
Security Latest
Security Latest
Y
Y Combinator Blog
爱范儿
爱范儿
aimingoo的专栏
aimingoo的专栏
P
Privacy & Cybersecurity Law Blog
L
LINUX DO - 最新话题
月光博客
月光博客
The GitHub Blog
The GitHub Blog
博客园 - 三生石上(FineUI控件)
S
Security Affairs
P
Proofpoint News Feed
D
DataBreaches.Net
有赞技术团队
有赞技术团队
云风的 BLOG
云风的 BLOG

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
Introducing Aikido Package Health: a Better Way to Trust Your Dependencies
Trusha Sharma · 2026-02-03 · via Aikido Security's Blog

TLDR

Aikido Package Health surfaces the true health of an open source package with a single score. It helps devs understand stability, maintenance quality, and supply-chain risk before installing a dependency.

Aikido Package Health is a public service that assigns a clear Health Score to open source packages. It gives you an honest signal about which dependencies are well-maintained and safe to adopt, and which ones might need extra scrutiny before you pull them into your project.

The goal is simple. Give devs visibility into the long-term reliability of their dependencies, not just their vulnerability status. Because maintenance patterns, stability, and hygiene matter just as much as CVEs.

This post walks through what makes a package healthy and what maintainers can do to improve their score.

Why Package Health matters

Choosing dependencies is fast, but understanding their long-term stability is not. Maintainers change, release patterns shift, dependency trees grow, and install scripts evolve quietly over time. These signals affect reliability, yet most teams never see them.

Package Health brings this information into one place. It looks at how a package’s dependency tree evolves, how stable its maintainers are, how predictable its releases have been, how safe its lifecycle scripts behave, and whether provenance data is available. These signals turn into a simple Health Score that helps devs make safer, faster decisions.

How Aikido calculates a Health Score

Each Health Score is built from measurable behaviour extracted from a package’s release and metadata history. We look at how the project changes over time, who maintains it, what scripts it runs during install, and whether its builds can be verified.

The score is composed of five weighted categories:

Dependencies

How stable the dependency tree is between versions.

Maintainer Stability

How consistent the release authors are and whether maintainership has shifted unexpectedly.

Maturity

How long the project has existed, how predictably it evolves, and whether releases follow a sensible cadence.

Supply-Chain Scripts

How safe the package’s lifecycle scripts are and whether they introduce unnecessary risk during installation.

Attestations

Whether the project includes verifiable provenance to prove that builds are authentic and reproducible.

These categories combine into a clear, at-a-glance signal of package health.

Keeping each category healthy

Maintainers can actively improve their Health Score through a few steady habits. The same principles help if you maintain internal libraries or evaluate external dependencies.

1. Keep your dependency tree lean

Add runtime dependencies only when they’re essential. Every new dependency adds transitive risk and maintenance overhead. Prefer small, well-audited modules or reuse existing ones already trusted in your ecosystem. If you add something new, document the reasoning and check its security track record.

2. Maintain continuity among maintainers

A consistent set of maintainers creates confidence. Plan handovers properly, keep a changelog that links releases to authors, and avoid long inactivity gaps. Stable authorship helps users and automated tools detect when a project is drifting or abandoned.

3. Publish steadily and respect version history

Regular releases, even small ones, show that the project is supported. Keep semantic versioning consistent. Avoid rewriting history. Tag releases clearly. A predictable cadence directly improves maturity and trust.

4. Review and harden lifecycle scripts

Install-time scripts are common sources of supply-chain issues. Remove scripts you don’t need. If you keep them, ensure they avoid network calls, privileged actions, or hidden behaviour during installation. Static analysis and scanning help catch risky patterns early.

5. Use attestations to prove integrity

Automate provenance and SBOM attestations in CI. They provide cryptographic proof that builds are reproducible and untampered. Once added, monitor for regressions and fix missing attestations quickly to maintain a strong security posture.

By following these practices, packages naturally maintain higher scores and earn more trust from devs and security tools.

Helping maintainers build safer open source

Aikido’s Health Score highlights maintenance quality, not just known vulnerabilities. It acts as an early-warning system for ecosystem drift, showing when a project’s hygiene starts slipping long before it becomes security debt.

By giving maintainers clear feedback and helping devs make informed decisions, Aikido aims to strengthen the open source ecosystem and make it safer, more transparent, and more resilient for everyone relying on it.

Find the right package for your project → https://intel.aikido.dev/packages