snyk.io
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-12.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-12 2026 | TanStack npm Packages Hit by Mini Shai-HuludSupply Chain | Library compromised by the Mini Shai-Hulud supply chain attack impacting @tanstack npm packages, leading to the publication of 84 malicious artifacts. This incident, attributed to TeamPCP, marks the first documented case of malicious npm packages possessing valid SLSA provenance, achieved by hijacking the legitimate release pipeline via a `pull_request_target` vulnerability, cache poisoning, and OIDC token extraction. Affected packages include `@tanstack/react-router`, with remediation involving treating affected install environments as compromised and rotating secrets. |
| 2026-04-17 2026 | What is a Software Bill of Materials (SBOM)? (Snyk)Supply Chain | Library for generating and managing Software Bills of Materials (SBOMs), providing formal records of software components and their supply chain relationships. SBOMs enhance transparency, aid in vulnerability management, and support regulatory compliance, especially for software sold to the federal government as mandated by Executive Order 14028. Standards like SPDX, SWID, and OWASP CycloneDX are supported, enabling detailed analysis of dependencies, licenses, and potential exploits, complementing efforts like SLSA for supply chain integrity. |
| 2026-04-11 2026 | Golang JWT access restriction bypass vulnerabilityJWT | Library for Go JWT access restriction bypass vulnerability affecting the `VerifyAudience` function. Discovered issues with double-quoted empty strings bypassing audience verification, leading to CVE-2020-28361. While a fix was available in v4.0.0-preview1, many projects used the master branch, leaving them vulnerable. Snyk's research team identified this and other proprietary Go vulnerabilities, enriching their Intel Vulnerability Database to provide broader security coverage. |
| 2026-04-11 2026 | Top 3 security best practices for handling JWTsJWT | Library for securely handling JWTs, focusing on three core best practices: keeping tokens secret via HTTPS and secure storage (HttpOnly, Secure flags), validating tokens by checking signatures and claims (exp, nbf, iss, aud), and setting expiration times. It highlights how tools like Snyk can identify vulnerabilities related to these practices, mentioning Python libraries such as Flask-JWT-Extended and PyJWT. |
| 2026-04-11 2026 | Detecting JWT Security IssuesJWT | Library for detecting JWT security issues in Node.js applications. It identifies vulnerabilities arising from the insecure use of the `jsonwebtoken` npm package, specifically the misuse of `jwt.decode()` which bypasses signature verification and can lead to broken authentication. The library also flags hardcoded sensitive data, insufficient logging, and lack of rate limiting, providing recommendations for secure JWT handling. |
| 2026-04-11 2026 | Why 28 Million Credentials Leaked on GitHub in 2025 | SnykAPI SecSecrets | Library for detecting and preventing leaked secrets, including API keys, database passwords, cloud IAM credentials, and AI service keys. It addresses accidental commits to Git, insecure .env file practices, supply chain attacks via malicious packages like Shai-Hulud and compromised versions of TruffleHog, and leaks through non-code surfaces such as Slack, Jira, and Docker Hub. The library also highlights the growing risk from AI-assisted development and MCP server credentials, differentiating its secret scanning capabilities from SAST tools by emphasizing the analysis of full Git history, including deleted files. |
| 2026-04-10 2026 | How a Poisoned Security Scanner Backdoored LiteLLMPython | Library that suffered a supply chain attack via Trivy and Checkmarx KICS, resulting in malicious versions (1.82.7 and 1.82.8) of the litellm Python package being published to PyPI. The attack involved credential harvesting through a compromised GitHub Action and the use of .pth files for persistence, enabling data exfiltration and lateral movement within Kubernetes environments. |
| 2025-08-14 2025 | Go Security cheatsheet | Snyk Blog | Cheatsheet detailing eight Go security best practices for developers, emphasizing the use of Go Modules for dependency management and scanning dependencies for CVEs with tools like Snyk. It covers employing Go's standard crypto packages, utilizing `html/template` to prevent XSS attacks, exercising caution with subshelling, `unsafe`, and `cgo`, using reflection sparingly, and minimizing container attack surfaces. |
| 2023-04-03 2023 | Top 5 scapy Code ExamplesPython | Top 5 scapy Code Examples https://ift.tt/PJT08ay |
| 2022-02-21 2022 | Go Security cheatsheet | Snyk Blog | Cheatsheet detailing eight Go security best practices for Go developers. It covers using Go Modules for dependency management and scanning dependencies for CVEs with tools like Snyk. The resource recommends using Go's standard crypto packages and `html/template` to prevent XSS attacks. It also advises caution with subshelling, the `unsafe` package, and `cgo`, while recommending sparing use of reflection. Finally, it touches on minimizing container attack surfaces. |