Using AI to Discover Silently Patched Vulnerabilities in Open Source
Mackenzie Jackson
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Mackenzie Jackson of Aikido Security described research that used LLMs to monitor open-source changelogs at scale, discovering 550 undisclosed vulnerabilities in 2024 — 67% of which never received a CVE. The same AI-powered approach has since been extended to malware detection, where it identified 611 malicious npm packages in March alone and caught a backdoor in the official Ripple XRP SDK within minutes of its introduction. ---
AI review
This is the talk of the batch. Real research, real numbers, real production system catching real malware in real time. 550 undisclosed vulnerabilities in 2024 — 67% of which never got a CVE — is data that fundamentally breaks the assumption that CVE coverage is sufficient for supply chain security. The Ripple XRP SDK detection story is the kind of thing that validates an entire research program.