The rapid integration of artificial intelligence into software development workflows, while promising unprecedented efficiency, has inadvertently created a significant security vulnerability: a profound lack of accountability. This emerging challenge, where AI agents autonomously install packages and introduce dependencies without clear ownership or risk assessment, is leaving enterprises exposed to a new wave of sophisticated cyberattacks. Willem Delbare, co-founder, CTO, and CEO of Aikido Security, articulated this critical concern to The New Stack, stating, "There is no accountability." This absence of defined responsibility, he explains, allows for a dangerous gap to emerge, through which malicious actors can exploit vulnerabilities.
The Autonomous Agent Dilemma
As AI coding assistants such as Claude Code, GitHub Copilot, and Cursor become increasingly adept at performing complex tasks, including the selection and installation of software packages, the traditional security paradigms are being challenged. Historically, when a human developer installed a package, there was an implicit understanding of responsibility. However, when an AI agent makes these decisions autonomously, the lines of accountability blur, leaving security teams operating in the dark. This is precisely the void that Aikido Security aims to fill.
Delbare elaborates on this critical issue, noting that "at most companies right now, no one has made the decision, and no one owns the risk." This undefined ownership creates a fertile ground for attacks, as individuals across various departments—from marketing and sales to product development—leverage AI tools without a comprehensive security framework governing their usage. The result is a landscape where security teams lack visibility and control over the software supply chain being built and maintained by these intelligent agents.
Aikido Security’s Proactive Solutions
In response to this escalating threat, Aikido Security has launched a suite of products designed to bring clarity and control to AI-driven development. In a significant move last month, the company introduced Aikido Endpoint. This innovative solution performs real-time inspections of packages, plugins, IDE extensions, and browser extensions before they are installed. By automatically blocking known malware, Aikido Endpoint aims to prevent malicious code from entering an organization’s systems at the earliest possible stage.
The core functionality of Aikido Endpoint is to empower enterprises to embrace AI-native software development workflows securely and at scale. It provides security teams with the essential tools for real-time monitoring and policy enforcement. Simultaneously, it grants developers the necessary flexibility to utilize a wide array of packages, middleware, extensions, AI models, and AI agents without compromising security. This approach is founded on the principle that security should not be an impediment to innovation but an integrated component of the development process.
Further bolstering its commitment to proactive security, Aikido also unveiled Aikido Infinite in March. This continuous AI penetration testing platform is engineered to make software self-securing. It directly addresses the inherent limitations of traditional, often time-consuming and resource-intensive manual penetration testing methodologies. By integrating continuous security validation throughout the entire software development lifecycle (SDLC), Aikido Infinite aims to identify and remediate vulnerabilities proactively, rather than reactively.
The Evolving Competitive Landscape
Aikido Security is not the sole player addressing the burgeoning security challenges posed by AI in software development. Several other companies are making significant strides in this domain, each with a distinct approach:
- Socket: This company recently secured a substantial $60 million in Series C funding, achieving a valuation of $1 billion. Socket’s focus lies in the real-time detection and blocking of malicious open-source packages. Their capabilities were demonstrated when they reportedly identified a malicious dependency within the widely adopted Axios JavaScript package within a mere six minutes, enabling organizations to prevent its deployment into production environments.
- Endor Labs: In March 2026, Endor Labs launched AURI, a comprehensive solution comprising a Skills plugin, an MCP server, and a CLI. AURI is designed to detect actual vulnerabilities in real-time within coding assistants such as Cursor and Claude Code, offering another layer of defense against AI-introduced risks.
- Chainguard: Taking a foundational approach, Chainguard concentrates on securing the infrastructure layer before any code is written. They achieve this by providing hardened, minimal container images and curated package repositories, effectively establishing a secure base for development.
- Snyk: Earlier this year, Snyk’s security researchers conducted what they described as the first comprehensive audit of the AI agent skills ecosystem. Their analysis of nearly 4,000 skills revealed that over a third contained at least one security flaw. This finding underscores the rapidly expanding attack surface across the entire market and highlights the urgent need for robust security solutions.
- Arcjet: Arcjet offers runtime enforcement specifically within agentic workflows. Their solutions focus on mitigating risks such as prompt injection and protecting personally identifiable information (PII).
- Mobb Security: Mobb Security targets vulnerabilities within the AI agent skill supply chain, recognizing that the integrity of these interconnected components is crucial for overall security.
This diverse array of solutions indicates a rapidly maturing market, with various companies developing specialized tools to address different facets of AI-driven security risks.
Delbare on the Accountability Gap: The Industry’s Unsolved Problem
In an interview with The New Stack, Delbare provided further insights into Aikido’s strategic positioning within this competitive landscape and emphasized why he believes the accountability gap remains the most critical, yet unresolved, issue facing the industry.
Q: Who ultimately bears the responsibility for defining the security policies governing what an AI coding agent is permitted to install? Is this a decision made by the developer, the security team, or is it currently undefined in most organizations?
A: At present, in the majority of companies, this responsibility is undefined, which constitutes a significant risk. When a human developer manually installs a package, there is at least an implicit understanding of accountability. However, when an AI agent acts autonomously, there is no inherent accountability unless an individual or team has explicitly assumed ownership. Our perspective at Aikido is that security teams should be responsible for establishing the guardrails—the policies, acceptable thresholds, and approved software ecosystems. Developers, in turn, should have the freedom to operate within these established boundaries. The AI agent then functions within this defined envelope. This isn’t a novel concept; it’s essentially an extension of the shared responsibility model that has proven effective for human developers.
Q: Most enterprises currently lack visibility into installations initiated by AI agents. Is Aikido observing this trend in customer environments, where agents are quietly incorporating packages that have not undergone any review?
A: We recently engaged in a discussion with a customer who expressed a strong desire to ensure that even devices used by non-developer personnel are adequately protected. Increasingly, less technical teams in product management, sales, and marketing are utilizing AI agents to streamline their work. They often do so without fully comprehending that packages and agent skills are being installed on their local environments. Consequently, security teams are left with virtually no control or visibility into the associated risks, nor do they possess effective means to identify affected machines after an incident has occurred. This lack of oversight is a pervasive problem.
Q: AI coding agents autonomously pull packages and add dependencies. How does Aikido Endpoint differentiate between a human-initiated installation and one initiated by an agent, and does this distinction influence its response?
A: Aikido Endpoint does not make a distinction between human-initiated and agent-initiated installations. The inherent risk associated with installing malware remains constant, irrespective of whether the action is performed by a human or an AI agent. Our focus is on the security of the package itself, not the origin of the installation request.
Q: Which AI coding agents, such as Copilot, Cursor, Claude Code, and Devin, does Aikido Endpoint currently monitor? How does its coverage adapt as new agents are released?
A: Aikido Endpoint is designed to monitor AI tools and models across a broad spectrum of providers, including Gemini, OpenAI, GitHub Copilot, xAI, MCP Servers, Claude Code, and platforms like skills.sh. The system is built to be adaptable; when new AI agents are released, the Endpoint’s agent simply needs to be updated to incorporate their functionalities and potential risks. This ensures that our monitoring capabilities remain current with the evolving AI landscape.
Q: The coverage area for Aikido Endpoint includes AI agent skills marketplaces. Could you specify which marketplaces are covered and the current maturity of this coverage?
A: Currently, our coverage extends to skills.sh and the VS Code Marketplace. We are continuously evaluating and expanding our support for additional marketplaces as they gain prominence and as the need arises. Our coverage in these areas is mature, providing robust protection against vulnerabilities within these ecosystems.
The Escalation of AI-Generated Supply Chain Malware
Q: Your press release highlights the "$8 ChatGPT subscription" as a factor lowering the barrier to entry for creating supply chain malware. How does AI-generated supply chain malware differ from human-written malware in terms of detection difficulty, polymorphism, or volume?
A: Artificial intelligence is undeniably fueling a significant increase in the sophistication of cyberattacks. Over the past twelve months, we’ve witnessed a dramatic evolution, moving from single-package compromises to self-replicating worms and, more alarmingly, to full CI/CD pipeline hijacks that can chain across multiple registries. The fundamental changes are a drastically reduced barrier to entry for malicious actors and an accelerated attack velocity. Where a highly skilled hacker might once have spent considerable time probing for vulnerabilities, this type of reconnaissance and exploitation work can now be rapidly executed by AI agents. This democratization of advanced attack capabilities presents a profound challenge for traditional security measures.
Q: Aikido Intel cites a figure of 100,000 malicious packages per day. Does this intelligence utilize AI detection methods to keep pace with AI-generated malware? What is the methodology behind this detection?
A: Yes, Aikido Intel leverages artificial intelligence, augmented by our in-house research team, to identify and catalog vulnerabilities within the open-source supply chain. Our methodology involves a meticulous review of all publicly available changelogs and release notes. The primary objective is to ascertain whether security fixes have been implemented but not publicly disclosed, which can be a precursor to exploitation.
To achieve this, we employ two distinct Large Language Model (LLM) models. The first LLM is tasked with filtering the raw data, effectively removing extraneous context and noise to isolate relevant information. The second LLM then focuses on performing a detailed vulnerability analysis on this refined data. Following the LLMs’ findings, a human security engineer conducts a thorough review, validating the identified vulnerabilities before an Intel report is officially released. This hybrid approach has proven exceptionally effective in pinpointing vulnerabilities while demanding significantly less computational power compared to directly scanning entire codebases, systems, or live environments for potential security issues using LLMs alone.
Balancing Security and Developer Velocity
Q: Aikido Endpoint enforces a 48-hour install block. This might be perceived as a blunt instrument, especially given that many legitimate packages are updated frequently. What is the practical rate of false positives generated by this policy, and how does the request-and-approval workflow manage potential developer friction?
A: In practice, the need for a developer to access a package version that was released today rather than one from the previous week is exceptionally rare. The 48-hour install block is strategically designed to capture the vast majority of malicious packages during their most vulnerable introduction period, while minimizing the disruption to legitimate development workflows. We have found that this policy rarely blocks essential development activities.
When a package is flagged by the install block, Aikido Endpoint defaults to an allowed package version, which is typically older than the 48-hour window. It is important to note that this install block is a configurable setting, allowing teams to tailor it to their specific risk tolerance and the characteristics of different software ecosystems. For instance, given the historical targeting of the npm registry, a 48-hour block might be prudent. Conversely, for Maven Central, which benefits from robust GPG signing requirements, a shorter or even no install block might be appropriate.
To further enhance flexibility, organizations can create whitelists for specific packages or entire groups of packages, effectively bypassing the install block. Additionally, for those instances where speed is critical, developers can submit one-off approval requests, which are typically processed swiftly, ensuring that legitimate development needs are met without compromising security. This tiered approach allows for a dynamic balance between stringent security controls and the imperative for developer agility.
