Aikido Security is launching Aikido Endpoint, a lightweight agent designed to protect developers’ endpoints against supply chain attacks. The tool is intended to block high-risk packages, IDE extensions, browser plugins, and AI tools before installation.
Developers are prime targets for attackers. This particularly involves attacks via the so-called supply chain. Just recently, there was an attack by TeamPCP via Trivy, Checkmarx, and LiteLLM, among others. Shortly thereafter, an attack followed on Axios, the most widely used HTTP client in JavaScript with over 100 million weekly downloads.
The target of these attacks was always the same: the developer’s endpoint. After all, developers’ machines contain a wealth of information that attackers are eager to obtain. Think of cloud credentials, npm publication tokens, SSH keys, and direct access to source code.
Existing security tools typically focus on repositories, CI/CD pipelines, or package managers, according to Aikido Security, not on the device itself. Aikido Endpoint works differently, the company claims. The tool’s agent monitors every installation on the device. It blocks threats before they reach the system.
What does Aikido Endpoint do?
Aikido Endpoint runs on the endpoint itself and is designed to ensure that threats are blocked before they reach the developer’s device via an installation. It does this, among other things, by using specific default settings tailored for this purpose. This includes, for example, a minimum installation time. Packages published less than 48 hours ago are blocked. In this way, Aikido Endpoint protects npm, PyPI, Maven, NuGet, VS Code extensions, browser plugins, and AI agent marketplaces.
Aikido has built Endpoint on top of Safe Chain. Safe Chain is the company’s open-source CLI firewall, which, according to the company, is downloaded more than 200,000 times weekly. This already protects developers and organizations against the attack patterns behind Shai-Hulud, TeamPCP, and the Axios attack. Aikido Endpoint can be seen as the next step, specifically aimed at enterprises. It works in conjunction with existing MDM tools and offers governance, specific workflows, and compatibility with all package managers and marketplaces on the developer’s machine.
With the arrival of Aikido Endpoint, it should become possible to protect the developer’s endpoint, which Aikido calls the Achilles’ heel of the software supply chain, against attacks. Especially at a time when writing a supply chain attack takes less and less time thanks to increasing automation via AI, it is wise to pay closer attention to this Achilles’ heel.