appsec.fyi · Sources

snyk.io

245 curated AppSec resources from snyk.io across 20 topics on appsec.fyi.

snyk.io

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-26.

AI 119 Supply Chain 68 API Sec 20 Secrets 20 Bug Bounty 19 Python 14 RCE 12 AuthN 6 AuthZ 5 JWT 5 Talks 4 XSS 4 SQLi 3 SSRF 3 Fuzzing 2 CSRF 1 Deser 1 GraphQL 1 SSTI 1
Date Added Resource Excerpt
2026-06-26 2026NVD in the AI Era: The Case for Multi-Source Vulnerability IntelligenceAIIn the AI era, relying solely on single sources for vulnerability intelligence is insufficient. NIST's move to risk-based enrichment highlights the need for modern security teams to integrate multi-source vulnerability data. Trusted intelligence requires a combination of diverse signals, human expertise for validation, and a clear understanding of context to effectively manage modern cybersecurity threats.
2026-06-24 2026Priorities from the OpenSSF Secure Open Source Software Summit 2023Supply ChainGuide for securing OSS repositories, developed from OpenSSF Secure Open Source Software Summit 2023 priorities. It offers practical guidelines for GitHub and GitLab platforms, complementing OpenSSF Scorecard. This resource helps developers, maintainers, and organizations implement better security for SCM workflows, permissions, and policies.
2026-06-24 2026High severity vulnerability found in libcurl and curl (CVE-2023-38545)RCEWriteup on CVE-2023-38545, a high-severity heap-based buffer overflow in libcurl and curl, released October 2023. This vulnerability, impacting numerous open source ecosystems and Linux distributions, requires specific exploit conditions like interacting with compromised servers or using attacker-controlled SOCKS5 proxy URLs. Snyk offers reporting features to identify affected projects by CVE number.
2026-06-24 2026Cybersecurity Venture’s 2023 Software Supply Chain Attack ReportSupply ChainReport on the 2023 Software Supply Chain Attack, predicting escalating costs to $138 billion by 2031. This analysis highlights the increasing effectiveness of supply chain attacks, citing methods like social engineering and stolen credentials, and referencing the devastating SolarWinds incident. It underscores the growing reliance on complex ecosystems of software and dependencies, leading to a projected tripling of affected organizations by 2025. The document stresses the urgent need for proactive application security measures and developer involvement to mitigate these rising risks.
2026-06-24 2026How to protect Node.js apps from CSRF attacksCSRFLibrary for protecting Node.js applications from CSRF attacks, detailing how these vulnerabilities exploit authenticated user sessions. It explains the mechanics of CSRF, the impact of successful attacks including data manipulation and account takeover, and practical protection strategies. Key techniques covered include the Synchronizer Token Pattern (STP), implementing SameSite cookies (strict and lax), and the Double Submit Cookie pattern.
2026-06-24 2026Getting started with query parameterizationSQLiLibrary for preventing SQL injection attacks by demonstrating query parameterization with prepared statements and stored procedures. It details implementing parameterized queries using placeholders, precompiling statements with `Prepare()` for reuse, and utilizing stored procedures for greater control and security. Additional measures like input sanitization and validation are also discussed to bolster database querying defenses.
2026-06-24 2026When a vendor's breach becomes yours: lessons from the Klue incidentSecretsSupply ChainAnalysis of the Klue incident highlights risks inherent in SaaS ecosystems, where a compromise of one vendor can impact numerous connected customers like Salesforce. The incident stemmed from an abandoned, unrevoked integration credential, allowing attackers to harvest OAuth tokens and exfiltrate customer data. This demonstrates how a single weak link can cascade through interconnected systems, impacting vendors such as Recorded Future, Tanium, Huntress, and Jamf, and underscoring the importance of managing third-party access and dormant credentials.
2026-06-24 2026The New Security Control Point: Governing AI Agents Inside the Execution LoopAILibrary for governing AI agent behavior within the execution loop. It secures AI agents by observing actions before and after they occur, offering visibility into decisions made during tasks like executing shell commands, reading files, and making network requests. This session-aware approach enables detection of behavioral risks as agent workflows unfold, moving security closer to the decision point and allowing real-time governance of agent actions based on organizational policy.
2026-06-24 2026What nearly 10,000 developer environments reveal about agentic development riskAISupply ChainAnalysis of nearly 10,000 developer environments reveals significant risks in agentic development, with 43% of developers using multiple AI coding tools and 50.8% employing MCP servers. These configurations, along with agent skills (used by 22.8%), introduce a new supply chain layer where prompt injection findings and malicious code patterns are already present in active tooling. Traditional AppSec controls need expansion to govern these developer environments, as risks emerge before code commitment, impacting tools like Claude, Cursor, and VS Code extensions.
2026-06-24 2026Announcing Agentic Development Security (ADS)AILibrary for Agentic Development Security (ADS) that secures AI-driven software development by embedding security directly into workflows. It provides visibility, governance, and control over tools agents use, their actions, and generated code. ADS addresses risks from dynamic, multi-step workflows and autonomous agent behavior, moving security from post-code analysis to real-time evaluation of agent supply chains, behavior, and generated code, preventing issues like the deletion of a production database by an AI agent with improper credentials and no guardrails.
2026-06-23 2026Why You Need a Security Companion for AI-Generated CodeAILibrary that emphasizes a holistic DevSecOps approach for AI-generated code, highlighting that GenAI assistants like Copilot can introduce numerous vulnerabilities, including CWE-78: OS Command Injection, CWE-330: Use of Insufficiently Random Values, and CWE-703: Improper Check or Handling of Exceptional Conditions. This library addresses the increased developer confidence in insecure AI-produced code and the critical need for faster, more intuitive security solutions to complement AI-driven development, ensuring secure coding practices without hindering productivity.
2026-06-23 2026Weak Hash vulnerability discovered in crypto-js and crypto-es (CVE-2023-46233 & CVE-2023-46133)Supply ChainLibrary for detecting the "Use of Weak Hash" vulnerability (CVE-2023-46233 & CVE-2023-46133) affecting crypto-js and crypto-es. These libraries, particularly crypto-js due to its discontinued maintenance, are susceptible to brute-force attacks when using PBKDF2 with insecure SHA1 and low iteration counts. Updated versions address this by increasing iterations to 250000, mitigating risks to stored passwords and signatures.
2026-06-23 2026Secure your software supply chain with the new Snyk Vulnerability Intelligence for SBOM ServiceNow integrationSupply ChainIntegration that brings Snyk package vulnerability intelligence to SBOMs stored in ServiceNow. This tool identifies vulnerability severity within application and software package contexts, offering fix information and remediation guidance. It automates the creation of application vulnerable items in ServiceNow Vulnerability Response, enabling task assignment, progress tracking, and stakeholder notification. The integration aids in managing risks from zero-day vulnerabilities, such as recent http2 or curl vulnerabilities, and facilitates the analysis of third-party SBOMs for pre-deployment vulnerability assessment.
2026-06-23 2026Our favorite 2023 Snyk Fetch the Flag CTF writeups from the communityBug BountyWriteups of the 2023 Snyk Fetch the Flag CTF challenges offer insights into solving over 30 hacking puzzles, including web exploitation and cryptography. These community-contributed analyses detail approaches to challenges like "Quick Maths," "GetHub," and "You Wouldn’t Steal A /Flag.txt," providing practical learning opportunities for cybersecurity enthusiasts.
2026-06-23 2026File encryption in Python: An in-depth exploration of symmetric and asymmetric techniquesPythonLibrary for Python file encryption, detailing symmetric and asymmetric techniques. It covers Amazon's Key Management Service (KMS) with the `aws-encryption-sdk` for envelope encryption, and PyNaCl's `SecretBox` for symmetric file encryption and decryption. Additionally, it explores asymmetric encryption using PyNaCl's public/private box, emphasizing secure key management and communication.
2026-06-23 2026Exploring WebExtension security vulnerabilities in React Developer Tools and Vue.js devtoolsBug BountyXSSWriteup detailing WebExtension security vulnerabilities, including unverified external messages in React Developer Tools (CVE-2023-5654) allowing arbitrary URL fetching and unauthorized access to page capture APIs in Vue.js devtools (CVE-2023-5718) leading to screenshot data leakage. This research highlights risks inherent in the WebExtension architecture and its components, affecting cross-browser compatibility and user data.
2026-06-22 20264 Advantages of using AI code reviewAILibrary for AI-powered code review that augments manual efforts to identify security vulnerabilities, performance bottlenecks, and code smells. It enhances Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) by analyzing vast codebases rapidly, reducing human error, and boosting developer productivity. Techniques like deep learning and pattern recognition help find known and unknown issues, with a human-in-the-loop approach to minimize false positives and negatives, exemplified by Snyk Code's AI semantic analysis.
2026-06-22 2026Nightfall AI and Snyk unite to deliver AI-powered secrets scanning for developersAISecretsLibrary integrating Nightfall AI's advanced secrets scanning with Snyk's developer security platform. This partnership enables automated detection of PII, PHI, PCI, API keys, and other sensitive data across cloud environments and AI-generated code. Nightfall's AI-native capabilities offer over 100 data type detectors, context-aware alerts to reduce false positives, and developer-centric remediation, enhancing Snyk's ability to secure the software supply chain and application security posture.
2026-06-22 2026Snyk Fetch the Flag CTF 2023 writeup: AudiopolisBug BountyWriteup of the Audiopolis challenge from Snyk's Fetch the Flag CTF 2023, detailing a command injection vulnerability in a speech-to-text web application. The writeup explains how to exploit the application by crafting malicious `.wav` files using the `text2wave` program to achieve command execution, ultimately leading to the discovery of the flag.
2026-06-22 2026Snyk Fetch the Flag CTF 2023 writeup: Silent CartographerBug BountyWriteup of the Silent Cartographer challenge from Snyk's Fetch the Flag CTF 2023, detailing the exploitation of the Covenant C2 framework. This challenge involves identifying the vulnerable application, leveraging known exploits for default JWT secret key leakage in Covenant versions prior to 0.5, and fabricating a JWT to gain administrator privileges. The writeup further addresses the practical challenge of binding the exploit's new listener to port 80, necessitating the use of a tunneler like Ngrok for successful reverse shell handling.
2026-06-22 2026Snyk Fetch the Flag CTF 2023 writeup: Protect The EnvironmentBug BountyWriteup of Snyk's Fetch the Flag CTF 2023 "Protect The Environment" challenge, detailing a file inclusion vulnerability. The solution involves bypassing a custom base64 encoding layer on paths to include the `/proc/<pid>/environ` file, exploiting Flask's inability to correctly chroot static files. The writeup notes that PID 1 or enumerated PIDs like 8 (used by Gunicorn workers) are viable targets.
2026-06-22 2026Snyk Fetch the Flag CTF 2023 writeup: Honey Baked MessagesBug BountyWriteup of Snyk Fetch the Flag CTF 2023 "Honey Baked Messages" challenge, detailing the solution involving Hamming codes. The process includes understanding (7, 4) Hamming codes, reading input lines, determining the required parity check matrix (H matrix), and performing error correction on the entire file to extract the flag. A Python script demonstrates the complete solve.
2026-06-22 2026Snyk Fetch the Flag CTF 2023 writeup: I Do MathBug BountyWriteup of Snyk Fetch the Flag CTF 2023's "I Do Math" challenge, detailing the solution for successful login. Players must authenticate as "admin" with the pin 9007199254740992, which represents JavaScript's MAX_SAFE_INT value. Numbers outside this range prevent successful access.
2026-06-22 2026Snyk Fetch the Flag CTF 2023 writeup: Off the SETUIDBug BountyWriteup detailing the "Off the SETUID" challenge from Snyk's Fetch the Flag CTF 2023. The solution involves exploiting a PHP code injection vulnerability in an HTTP server to gain initial access, followed by a kernel privilege escalation. The escalation leverages a custom `fun_setuid` syscall with a design flaw allowing a NULL pointer dereference, enabling root privileges by manipulating kernel credentials. The writeup also introduces the `memexec` tool for fileless execution of binaries within PHP environments.
2026-06-22 2026Secure password hashing in GoAuthNLibrary for secure password hashing in Go, detailing best practices like salting and the importance of robust hashing algorithms such as Argon2id. It covers password storage concepts, explains attack methods like rainbow tables and brute-force, and provides insights into implementing Argon2id with specific parameters for memory, iterations, and parallelism, emphasizing the need to balance security with performance.
2026-06-22 2026Code injection in Python: examples and preventionPythonRCELibrary for identifying and preventing code injection vulnerabilities in Python applications. It details common exploitation vectors, including insecure use of `eval()`, improper handling of user-controlled inputs, lack of input validation, dynamic code construction, and insecure deserialization. The library advocates for secure coding practices such as input sanitization, using safer alternatives like `literal_eval()`, parameterized queries, and strong access controls to mitigate these risks.
2026-06-22 2026Top 3 security best practices for handling JWTsAuthNJWTGuide on securing JSON Web Tokens (JWTs) detailing three core best practices. It emphasizes keeping JWTs secret through HTTPS, HttpOnly/Secure cookie flags, and secure browser storage, while highlighting the risks of XSS. The guide stresses the importance of robust JWT validation, including signature verification, and checking claims like expiration, issuer, and audience. It also advocates for setting expiration times on JWTs to limit their usability and prevent unauthorized access. The article mentions tools like Snyk for identifying vulnerabilities and libraries such as Flask-JWT-Extended and PyJWT for implementation.
2026-06-22 2026Common SAML vulnerabilities and how to remediate themAuthNReference detailing common SAML vulnerabilities and their remediation, including signature validation to prevent XML tampering and XML signature wrapping, weak encryption of assertions, and message expiration using "NotBefore" and "NotOnOrAfter" to prevent replay attacks. It also addresses open redirect vulnerabilities exploitable via the "RelayState" parameter and suggests ensuring its value is a trusted URL before redirection, referencing `samlify` and `python3-saml` libraries.
2026-06-21 2026Is your team on the *security* naughty or nice list?AIAPI SecLibrary for application security teams, this guide highlights "nice" practices like conducting AppSec gap analyses, integrating security into CI/CD pipelines, scanning AI-generated code, and prioritizing fixes holistically beyond just CVSS scores. It contrasts these with "naughty" approaches such as ad hoc security measures, assuming AI code is secure, and neglecting asset inventory. The library emphasizes viewing security as an enabler, using the principle of least privilege with LLMs, and leveraging tools like Snyk for AppSec posture management (ASPM).
2026-06-21 2026Command injection in Python: examples and preventionPythonRCELibrary for preventing command injection vulnerabilities in Python applications, detailing how unsanitized user input passed to system shells via methods like `os.system()`, `subprocess.run(shell=True)`, dynamic command construction, and `eval()` can lead to exploits. It covers common scenarios, including vulnerabilities found in MLflow and PaddlePaddle, and emphasizes proactive mitigation through rigorous input validation, sanitization, and the use of parameterized queries to keep commands and data separate.
2026-06-21 2026Kroger’s approach to supply chain securitySupply ChainLibrary integrating a shift-left approach to software supply chain security, utilizing Snyk Code and APIs for proactive vulnerability detection and SBOM generation. Kroger’s implementation emphasizes developer efficiency and risk management, with features that scan pull requests, alert on suspicious package downloads, and automate compliance for PCI DSS 4.0 requirements. The platform supports the company’s efforts in navigating complex technology stacks and addressing open-source dependency risks.
2026-06-21 2026Krampus delivers an end-of-year Struts vulnerabilityRCEAnalysis of CVE-2023-50164, a critical Struts path traversal vulnerability, with a proof-of-concept exploit. This vulnerability allows attackers to upload files to arbitrary locations within an application's web-served directories, potentially leading to remote code execution. The article details remediation steps, including upgrading Struts to version 2.5.33 or 6.3.0.2 and implementing custom code checks using Snyk's SAST and SCA tools to prevent malicious file uploads and identify vulnerable dependencies.
2026-06-21 2026Build and deploy a Node.js security scanning API to Platformatic CloudAPI SecLibrary for building a Node.js security scanning API using Platformatic and Fastify. This resource details how to scaffold a Node.js service with Platformatic, integrate the Snyk CLI and API for vulnerability detection, and create a POST endpoint to test npm packages. It emphasizes securing API tokens using environment variables and IDE extensions like the Snyk VS Code extension for secret detection.
2026-06-21 2026How to choose a security tool for your AI-generated codeAIGuide on selecting security tools for AI-generated code, emphasizing real-time IDE analysis powered by Snyk's DeepCode AI, accurate risk management avoiding AI hallucinations through hybrid AI and human oversight, thorough interfile analysis of entire applications, and automated in-platform reporting for compliance. The guide highlights Snyk's approach to secure development workflows for generative AI.
2026-06-21 2026Mastering Python virtual environments: A complete guide to venv, Docker, and securing your codePythonLibrary for managing Python virtual environments using `venv`, `virtualenv`, and `pipenv`, and securing Dockerized Python applications with Snyk. It details the creation, activation, and usage of isolated Python environments to prevent dependency conflicts, ensuring reproducible development workflows. The library also covers containerizing Python applications with Docker, including Dockerfile creation and execution, and vulnerability scanning with Snyk to enhance application security.
2026-06-21 2026Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195)PythonXSSReference detailing CVE-2024-22195, a cross-site scripting vulnerability in Jinja2 versions prior to 3.1.3. The vulnerability arises from the `xmlattr` filter when processing user input with spaces in keys, allowing attackers to inject arbitrary HTML attributes and potentially execute untrusted scripts. Mitigation involves upgrading to Jinja2 3.1.3 and utilizing tools like Snyk for continuous monitoring and detection of vulnerable dependencies in Python projects and Docker containers.
2026-06-21 20263 tips from Snyk and Dynatrace’s AI security expertsAITalk from Snyk and Dynatrace AI experts highlights three key takeaways for secure generative AI adoption. Prioritizing AI governance, involving cross-functional teams for ethics, request ingestion, and communication is crucial. Taking a patient and considered approach to new technologies is advised, with a focus on understanding data flow, explainability, and transparency in AI tools. Finally, balancing AI opportunities with risks in development necessitates rigorous code security practices, including threat management scanning and clear documentation of AI-generated code, to avoid vulnerabilities and data overexposure.
2026-06-21 20267 tips to become a successful bug bounty hunterBug BountyGuide offering seven tips for aspiring bug bounty hunters, emphasizing starting with Vulnerability Disclosure Programs (VDPs) to hone skills before engaging in competitive bug bounty programs. It advises finding a niche like XSS, SSRF, or IDOR, committing to continuous learning, maintaining consistency, collaborating within the security community, and automating repetitive tasks. The guide also encourages stepping outside comfort zones and taking necessary breaks to avoid burnout.
2026-06-21 2026Snyk & Atlassian: How to embed security in AI-assisted software developmentAILibrary that integrates with AI-assisted development to address risks from tools like GitHub Copilot and Amazon CodeWhisperer. It scans AI-generated code in real-time within the IDE, flagging vulnerabilities stemming from bad training data or hallucinations, and provides quick fixes. The library is presented as a method to verify code against known standards, ensuring trust and security are embedded throughout the SDLC, much like safety measures on a construction site.
2026-06-21 2026Preventing SQL injection attacks in Node.jsSQLiLibrary for Node.js developers detailing SQL injection prevention techniques, including constructing vulnerable Express applications with PostgreSQL to demonstrate how user input manipulation leads to data leaks. It emphasizes using query placeholders and prepared statements with the `pg` library, validating and sanitizing input via `express-validator`, and utilizing tools like `npm audit` and the Snyk IDE extension for identifying known vulnerabilities in dependencies.
2026-06-21 2026Preventing server-side request forgery in Node.js applicationsSSRFTool for preventing server-side request forgery (SSRF) in Node.js applications, detailing how attackers exploit input tampering and URL manipulation to make unintended server requests. It covers basic and blind SSRF types, referencing a significant Amazon breach. Mitigation strategies include using updated libraries, employing firewalls, sanitizing user input, enforcing URL schemas like HTTP/HTTPS, and creating allowlists for trusted domains, exemplified by code adjustments in an Express and Axios application.
2026-06-20 20265 Node.js security code snippets every backend developer should knowSecretsLibrary offering Node.js security code snippets covering the Permissions Model for restricting resource access, exemplified by preventing command injection in packages like `pdf-image`, and input validation using Fastify JSON schemas to mitigate SSRF and HTTP parameter pollution. It also touches upon secure password hashing with Bcrypt, and integrating tools like the Snyk VS Code extension to detect vulnerable dependencies.
2026-06-20 2026Essential AI Tools to Boost Developer Productivity and SecurityAILibrary that categorizes AI developer tools, highlighting Security Companions like Snyk Code for real-time analysis of AI-generated and developer-written code. It also details Coding Assistants (GitHub Copilot, Amazon CodeWhisperer), Chatbots/LLMs (ChatGPT, Claude.AI), AI code search (Sourcegraph, Phind), and AI code testing (Codium), emphasizing the need to pair coding assistants with security tools.
2026-06-20 20265 security best practices for adopting generative AI code assistants like GitHub CopilotAIChecklist for safely adopting generative AI code assistants like GitHub Copilot and Amazon CodeWhisperer. This guide emphasizes continuous human validation of AI-generated code, integrating security scanning tools within the IDE, and utilizing Software Composition Analysis (SCA) for third-party dependencies. It also highlights the importance of automating security testing and implementing policies to protect intellectual property from being learned by AI models, referencing incidents like Samsung's ChatGPT ban.
2026-06-20 2026GitHub “besieged” by malware repositories and repo confusion: Why you'll be okSupply ChainLibrary for securing open-source development against threats like malware repositories, repo confusion, typosquatting, and dependency confusion. It emphasizes code vetting, repository authentication, and provides best practices for developers and security teams. Tools like Snyk Advisor and Snyk Learn are mentioned for assessing package health and improving security knowledge.
2026-06-20 2026How Snyk ensures safe adoption of AIAILibrary that uses DeepCode AI, a hybrid approach combining symbolic and machine learning AI, to secure AI-generated code. This technology analyzes code in real-time within the IDE, identifying vulnerabilities like those introduced by tools such as Copilot. It provides accurate results with reduced false positives by incorporating multi-file, interfile, and dataflow analysis, and offers AI-generated fix candidates that are validated for security before recommendation, mitigating risks of license infringement, IP violations, and software vulnerabilities.
2026-06-20 2026Securing your SBOM on Google CloudSupply ChainGuidance on securing SBOMs details NSA recommendations for open source software management, secure repository creation, and crisis management. Practices include evaluating OSS, risk assessment, maintaining internal repositories, vulnerability response, and creating validated SBOMs with details on components, versions, and licenses. Snyk integrates with Google Cloud services like CloudBuild, Artifact Registry, and GKE to help users find and fix vulnerabilities, scan containers, and generate enriched SBOMs.
2026-06-20 2026The XZ backdoor CVE-2024-3094Supply ChainAnalysis of CVE-2024-3094, a critical backdoor in the liblzma library affecting Linux distributions like Debian and Fedora. The exploit, a sophisticated supply chain attack, targeted x86-64 Linux systems using glibc and GCC, aiming to bypass SSH authentication and potentially achieve remote code execution. The vulnerability leverages modified build files and the GNU C Library's IFUNC mechanism to compromise OpenSSH. Detection methods using Snyk CLI for applications and containers are also outlined.
2026-06-20 2026Introducing Snyk’s partnership with Gemini Code AssistAILibrary integrating Snyk's security expertise with Google Gemini's AI coding assistance. This partnership delivers automated fixes and in-line security feedback for AI-generated code within IDEs like Google Cloud Code, providing full application context to identify vulnerabilities early. It leverages DeepCode AI for SAST and aims to accelerate development velocity without compromising security, allowing teams to adopt AI coding assistants confidently.
2026-06-20 2026How SAS secures their AI-generated codeAITalk from Snyk, moderated by Clinton Herget and featuring Brett Smith and Chris Knackstedt, addresses the security challenges of AI-generated code. The session explores risks such as code quality issues stemming from diverse training data, new attack vectors like prompt injection and library squatting, and AI hallucinations. It emphasizes the importance of developer education regarding AI tool limitations and IP protection, alongside reinforcing traditional security measures like static code analysis (SAST) with tools like Snyk Code to combat the increased velocity of vulnerable code injection.
2026-06-20 2026An investigation into code injection vulnerabilities caused by generative AIAIAnalysis of 4000+ Python repositories reveals code injection vulnerabilities (CWE-94) stemming from generative AI's large language models (LLMs). Issues arise from treating LLM output as trusted, particularly when user input influences prompts (prompt injection) and when LLM responses are passed to insecure functions like Python's `eval()` for parsing expected JSON. This can lead to arbitrary code execution. Recommendations include replacing `eval()` with `json.loads()` and rigorously validating LLM-generated code before execution, ideally within sandboxed environments.
2026-06-19 2026DevOpsDays Singapore 2024: Unmasking the security pitfalls in AI-generated codeAITalk from DevOpsDays Singapore 2024 highlights security challenges in AI-generated code. Tools like Copilot, AWS Code Whisperer, and Gemini can increase development speed but may introduce vulnerabilities such as SQL injection and XSS, or use outdated libraries. An analysis showed 40% of Copilot-generated code had flaws. Live demonstrations illustrated how AI can both introduce and help fix these security issues with proper prompting. Security tools like Snyk, integrating into development environments, are crucial for scanning and remediating these vulnerabilities early in the SDLC.
2026-06-19 2026More accurate than GPT-4: How Snyk’s CodeReduce improved the performance of other LLMsAILibrary that enhances LLM performance for security vulnerability autofixing. It employs proprietary CodeReduce technology, which utilizes program analysis to narrow the LLM's attention to critical code snippets, significantly improving fix generation accuracy and speed. This approach addresses LLM limitations by focusing on curated security fix datasets and contextual code, outperforming existing models like GPT-4 on various vulnerability types including AST, Local, FileWide, SecurityLocal, and SecurityFlow issues.
2026-06-19 2026The ultimate guide to creating a secure Python packagePythonGuide to creating secure Python packages, this tutorial details package structure, naming conventions, and configuration using `pyproject.toml`. It covers importing, installing from PyPI and private indexes with TLS recommendations, and specifying dependencies like NumPy. Modern packaging practices using `setuptools` as a build backend are emphasized over older `setup.py` methods.
2026-06-19 2026Symmetric vs. asymmetric encryption: Practical Python examplesPythonLibrary implementing symmetric and asymmetric encryption in Python, demonstrating practical use cases with examples for TLS/SSL, end-to-end messaging, and secure data storage. It covers algorithms like DES, 3DES, and AES, with a focus on envelope encryption for secure key management, using AWS KMS and the AWS Encryption SDK for practical implementation.
2026-06-19 2026How to secure Python Flask applicationsAPI SecPythonLibrary for securing Python Flask applications, addressing common vulnerabilities like XSS, CSRF, and SQL injection. It details insecure configurations such as secret key exposure, enabled debug mode in production, and unprotected sensitive data in configuration files. The guide recommends best practices including using environment variables for credentials, securely generating secret keys with the `uuid` module, and utilizing the Snyk platform for vulnerability detection and mitigation within IDEs and CI pipelines.
2026-06-19 2026Preventing broken access control in express Node.js applicationsAPI SecAuthZLibrary detailing broken access control vulnerabilities in Express Node.js applications, covering scenarios like unprotected admin panels, predictable user IDs leading to IDOR, and insecure direct object references. It illustrates how to prevent issues such as vertical privilege escalation and horizontal data exposure, emphasizing the risks of clear text logging and insufficient CSRF protection within Express middleware.
2026-06-19 20265 tips for adopting AI code assistance securelyAILibrary of security tips for adopting AI code assistants like GitHub Copilot and Amazon CodeWhisperer. It emphasizes integrating human oversight, using separate security tools for scanning AI code, validating third-party dependencies with Software Composition Analysis (SCA), automating security testing within development workflows, and protecting intellectual property by carefully managing AI prompts to prevent data leakage.
2026-06-19 2026Secure AI tool adoption: Perceptions and realitiesAISurvey of 459 IT professionals globally, including AppSec, developers, and C-suite, reveals that while organizations feel ready for generative AI coding tools, less than 20% conduct formal POCs. Security fears are the biggest adoption barrier, yet AppSec teams express greater concern about AI code security and insufficient policies compared to management. The report highlights a discrepancy in AI readiness perceptions across roles, with leadership being more optimistic than those directly involved with code.
2026-06-19 2026Securing next-gen development: Lessons from Trust Bank and TASConnectTalksTalk from Black Hat Asia featuring experts from Trust Bank and TASConnect, discussing strategies for securing next-generation applications. It highlights the challenges posed by complex architectures, AI-generated code (like that from GitHub Copilot and Google Gemini), and multi-cloud deployments. The session emphasizes a proactive, developer-first approach, leveraging tools such as Snyk for immediate feedback and risk prioritization, and tracking key metrics like security training implementation and time to remediate to align security with business goals.
2026-06-19 2026The full Snyk AI Security Platform, free for open source maintainersAISecretsPlatform offering open source maintainers free access to the Snyk AI Security Platform. It focuses on issue prioritization using exploitability, reachability, and asset criticality, alongside automated fix pull requests for vulnerable dependencies via the Snyk Remediation Agent, which uses frontier-model reasoning for validated, merge-ready fixes in Snyk Open Source and Snyk Code.
2026-06-18 20264 AI coding risks and how to address themAILibrary for addressing AI coding risks; highlights include injection vulnerabilities, authentication weaknesses, and misconfigured permissions. It emphasizes the need for human oversight and offers strategies like SAST with tools like Snyk Code, conducting audits, and developing clear organizational policies to mitigate issues related to AI-generated code, intellectual property infringement, and lack of explainability.
2026-06-18 2026Snyk Code now secures AI builds with support for LLM sourcesAISecretsLibrary updates for Snyk Code now secure AI builds by tracking data flows from LLM libraries, including those from OpenAI, HuggingFace, Anthropic, and Google. This enhancement performs taint analysis on data returned from LLM sources, treating it as untrusted by default, to detect vulnerabilities such as prompt injections, SQL injection, and XSS. The tool identifies unsanitized data sinking into sensitive functions or data stores, alerting users to potential security issues even in projects with initially unsupported LLM frameworks.
2026-06-18 2026Finding and fixing exposed hardcoded secrets in your GitHub project with SnykSecretsLibrary for scanning Node.js projects for exposed hardcoded secrets and credentials, demonstrated with the Snyk goof project. It utilizes Snyk to identify vulnerabilities and then refactors code to leverage Doppler for centralized secret management, preventing secrets from being pushed to GitHub and enabling environment-specific configurations. The process involves adding secrets to Doppler and updating application code to use environment variables injected via the Doppler CLI.
2026-06-18 2026Polyfill supply chain attack embeds malware in JavaScript CDN assetsSupply ChainLibrary providing detection for the Polyfill supply chain attack impacting cdn.polyfill.io, which embedded malware in JavaScript assets. The attack, announced June 25, 2024, affected over 100,000 websites, including Intuit. Snyk Code's SAST engine can detect usage of malicious domains like polyfill[.]site, polyfill[.]com, bootcdn[.]net, and staticfile[.]net through custom rules, and has identified CVE-2024-38526 in the pdoc library.
2026-06-18 2026How to secure a REST API?API SecLibrary for securing REST APIs, addressing injection attacks, broken authentication (like the 2018 Reddit breach), sensitive data exposure, rate limiting vulnerabilities (seen in the 2016 Dyn attack), and insecure dependencies (as with the 2017 Equifax breach via Apache Struts). It details implementing OAuth 2.0 and JWT for authentication, secure token management, enforcing HTTPS, and using AES encryption. The library also highlights the importance of HTTP headers such as Content Security Policy (CSP) and X-Content-Type-Options, recommending tools like Snyk Code and Snyk Open Source for vulnerability detection.
2026-06-18 202610 Dimensions of Python Static AnalysisPythonLibrary for static analysis in Python, covering its importance for detecting bugs, security vulnerabilities, and stylistic issues without code execution. It details dimensions like type checking with tools such as Mypy, Pyright, and Pyre, and linting with Pylint, Flake8, and Pyflakes to enforce coding standards and identify code smells. The library also highlights security vulnerability detection capabilities, mentioning tools like Bandit and Snyk Code for spotting risks such as SQL injection.
2026-06-18 2026Preventing SQL injection in C# with Entity FrameworkSQLiLibrary for preventing SQL injection in C# applications utilizing Entity Framework. It details secure methods like LINQ queries, `FromSqlInterpolated`, and safe `FromSqlRaw` usage with explicit parameters, contrasting them with vulnerable string concatenation. The entry emphasizes using prepared statements and parameterization to treat user input strictly as data, and recommends code scanning tools like Snyk Code for detecting insecure constructions.
2026-06-18 2026Infosec Europe session: 4 tips for safer AI adoptionAIReference from Infosecurity Europe 2024 outlines four tips for safer AI adoption in businesses. Key strategies include classifying AI usage by business impact criticality, not solely relying on LLMs for security but implementing AI guardrails like code reviews and peer validation, with tools like Snyk Code offering AI-fast SAST scans. It also emphasizes understanding and protecting AI training models from attacks such as prompt injection, and inventorying AI's presence within the existing tech stack.
2026-06-18 2026A security expert’s view on Gartner’s generative AI insights - Part 2AILibrary for AI-driven application security, Snyk Agent Fix integrates into IDEs for real-time autofixing, leveraging a specialized, proprietary LLM trained on security data rather than general code functionality. This approach ensures more reliable security fixes than those from general-purpose LLMs. The library aims for accuracy and speed, catering to both developer and security teams, and includes features like SBOM generation and proactive risk neutralization, as demonstrated by its early discovery of the Leaky Vessels zero-day vulnerability.
2026-06-18 2026A Forgotten Contributor Account Compromised the Entire Mastra npm Package ScopeSupply ChainWriteup detailing a supply chain attack on the `@mastra` npm scope, where a former contributor's compromised account was used to republish 142 packages with a malicious dependency, `easy-day-js`. This dependency, a `dayjs` imposter, featured an install hook that disabled TLS verification, downloaded a cross-platform cryptocurrency stealer and remote access trojan, and established persistence. The attack exploited lax scope access management by npm and highlights the risks of unrevoked permissions and dependency confusion via version ranges.
2026-06-17 2026Vulnerabilities in NodeJS C/C++ add-on extensionsSupply ChainLibrary for analyzing C/C++ vulnerabilities in NodeJS npm packages, focusing on Buffer Overflow, Denial of Service (process crash, unchecked types), and Memory Leakages. It models sources, sinks, and sanitizers using Snyk Code to identify vulnerable patterns within Node-API and Napi interfaces, providing remediation examples for maintainers.
2026-06-17 2026Three trends shaping software supply chain security todaySupply ChainSurvey of trends shaping software supply chain security, focusing on growing SBOM regulations, the impact of AI-generated code on secure development practices, and the evolving threat landscape, including AI supply chain attacks impacting LLMs. This resource emphasizes proactive security measures, leveraging business context for risk prioritization, and shifting code security left to align with faster development cycles.
2026-06-17 2026The persistent threat: Why major vulnerabilities like Log4Shell and Spring4Shell remain significantSupply ChainLibrary for detecting and addressing application security vulnerabilities, focusing on the persistent threat of Log4Shell (CVE-2021-44228) and Spring4Shell. It highlights that a significant percentage of applications still use outdated, vulnerable versions of Log4j and Spring Framework, leaving them open to attacks such as remote code execution via JNDI lookups and deserialization. Snyk integrates into development workflows via Git, CLI, and CI pipelines to identify risks early and offers one-click fix PRs for vulnerable dependencies.
2026-06-17 2026Want to avoid a data breach? Employ secrets detectionSecretsLibrary for detecting secrets like API keys, passwords, and tokens in application code. It employs sophisticated patterns and regex to identify potentially exposed sensitive data, preventing data breaches. The library integrates with IDEs for real-time feedback and can be incorporated into CI/CD pipelines to fail builds upon secret detection, mitigating risks like unauthorized access, regulatory non-compliance, and loss of competitive advantage.
2026-06-17 2026Dive into AI and LLM learning with the new Snyk Learn learning pathAILibrary provides a free learning path on Snyk Learn, focusing on the OWASP Top 10 for LLMs and GenAI. This path addresses critical security challenges in AI systems, including prompt injection and sensitive information disclosure, equipping developers and security professionals with knowledge to secure AI-driven applications.
2026-06-17 2026Promise queues and batching concurrent tasks in DenoSSRFLibrary for managing concurrent tasks in Deno, improving efficiency and robustness through promise queues and task batching. It utilizes `Promise.allSettled()` to execute multiple HTTP fetch requests concurrently, demonstrated by fetching package data from the npm registry JSON endpoint, and offers a GitHub repository for complete source-code reference.
2026-06-17 2026How to prevent log injection vulnerability in JavaScript and Node.js applicationsXSSLibrary for preventing log injection vulnerabilities in JavaScript and Node.js applications, specifically detailing how attackers can manipulate input to inject malicious code into logs. It offers methods for sanitizing user inputs, using regex and libraries like validator.js, suggests careful consideration of what data to log, and recommends structured logging and specialized libraries such as pino over basic console.log. The entry also mentions the Snyk IDE extension for VS Code as a tool for detecting such vulnerabilities.
2026-06-17 2026Zero-day RCE vulnerability found in CUPS - Common UNIX Printing SystemRCELibrary that detects and helps remediate zero-day RCE vulnerabilities in CUPS, including CVE-2024-47177, CVE-2024-47176, CVE-2024-47076, and CVE-2024-47175. The library offers automated scanning for Snyk Open Source and Snyk Container, providing risk scores for prioritization and enabling custom report generation for affected packages and running instances. It also offers guidance on blocking network access to port 631 and DNS-SD traffic for potential mitigation.
2026-06-17 2026Going beyond reachability to prioritize what matters mostBug BountyLibrary for prioritizing application security vulnerabilities by incorporating contextual business risk alongside static reachability, CVSS, and EPSS scores. It analyzes vulnerability applicability across operating systems, business criticality, deployment location, and data access, leveraging AI-powered static and dynamic reachability analysis from code to cloud. Snyk's approach provides a holistic risk score, enabling organizations to focus remediation efforts on the most impactful threats.
2026-06-17 2026Proactive AppSec continuous vulnerability management for developers and security teamsSupply ChainLibrary for continuous vulnerability management that integrates Snyk DeepCode AI into IDEs like VS Code and IntelliJ IDEA. It proactively identifies security issues in open-source components, AI-generated code (e.g., from GitHub Copilot), and containerized applications, offering real-time feedback and mitigations for vulnerabilities like XSS and SQL injection, thereby enhancing application security throughout the development lifecycle.
2026-06-16 2026The mysterious supply chain concern of string-width-cjs npm packageSupply ChainAnalysis of npm package aliasing and its supply chain risks, triggered by an `string-width-cjs` update in `cliui`. The article details how package aliasing can be abused, referencing a 2021 Snyk disclosure. It highlights the discovery of suspicious, seemingly empty npm packages (`string-width-cjs`, `strip-ansi-cjs`, `wrap-ansi-cjs`) published by an anonymous user, potentially for dependency confusion or typosquatting. The analysis further examines how these packages are pulled into other projects, like `react-native-multiply` and `clazz-transformer`, suggesting a campaign to mine Tea tokens.
2026-06-16 2026Foundations of trust: Securing the future of AI-generated codeAIProgram that partners with AI coding assistants like Codieum, Tabnine, TabbyML, and Qodo to integrate Snyk's security capabilities. This initiative addresses vulnerabilities common in AI-generated code, such as inaccuracies, hallucinations, security flaws, data poisoning, and prompt injections. By embedding real-time SAST guardrails and automated remediation through DeepCode AI Fix into IDE extensions, the program aims to secure AI-assisted development workflows and increase trust in AI-generated software.
2026-06-16 2026Automatically fix code vulnerabilities with AIAIXSSLibrary for automatically fixing common security vulnerabilities, such as Cross-site Scripting (XSS) in Java applications, by leveraging a hybrid AI model. This tool, integrated into IDEs, goes beyond providing remediation advice by directly applying secure code fixes, exemplified in a Spring Boot application using the Thymeleaf template engine and the faker library. Unlike generative AI assistants that may introduce insecure code, this library uses a combination of generative AI, symbolic AI, and machine learning, trained on curated security research data, to ensure secure code generation.
2026-06-16 2026Ensuring comprehensive security testing in DevOps pipelinesSupply ChainLibrary for integrating comprehensive security testing into DevOps pipelines. It details strategies for assessing application risk profiles and implementing various testing types, including SAST (Snyk Code), SCA (Snyk Open Source), container security (Snyk Container), IaC security (Snyk IaC), DAST, RASP, and API testing. The library emphasizes shifting security left and ensuring coverage across the entire software development lifecycle, from development to production, with recommendations for effective alert notification frameworks.
2026-06-16 2026Find, auto-fix, and prioritize intelligently, with Snyk's AI-powered code security toolsAILibrary for AI-powered application security, Snyk Code, offers automated detection and remediation of vulnerabilities. Utilizing DeepCode AI, it scans code directly within the IDE, providing rapid SAST analysis and auto-fixing suggestions via its Snyk AgentFix feature. This multi-model AI approach combines different methodologies for enhanced reliability, ensuring suggested fixes are screened by symbolic AI before developer application, reducing mean-time-to-remediate and improving code security for AI-generated code.
2026-06-16 2026Top 5 SAST Auto-fixing Tools and How They CompareAILibrary comparing the top 5 SAST auto-fixing tools, focusing on AI-powered, private, and accurate remediation. It highlights features like automated fixes, seamless integration into developer workflows, and compatibility with detection tools, referencing Snyk Agent Fix as an example of a self-hosted LLM trained on secure code to accurately address vulnerabilities without introducing new risks.
2026-06-16 2026Lottie Player npm package compromised for crypto wallet theftSupply ChainWriteup detailing the compromise of the `@lottiefiles/lottie-player` npm package, which injected malicious code into versions 2.0.5 through 2.0.7, enabling cryptocurrency wallet theft. The incident highlights supply chain risks, particularly when using CDNs without pinned dependency versions, and details how tools like Snyk can identify vulnerable installations of this and similar packages.
2026-06-16 2026Extending developer security with dev-first dynamic testingAPI SecFuzzingLibrary extending developer security, Snyk has acquired Probely, a provider of API Security Testing and Dynamic Application Security Testing (DAST). This acquisition integrates modern DAST capabilities, focusing on a developer-first approach with low false positive rates, simple implementation, and CI/CD pipeline integration, addressing the growing need for API security in the GenAI era and providing enhanced visibility into application risk.
2026-06-16 2026Understanding command injection vulnerabilities in GoRCELibrary for mitigating command injection vulnerabilities in Go applications. It details how insecurely handling user input with packages like `os/exec` can lead to attackers executing arbitrary commands, potentially causing data breaches or system compromise. The library emphasizes secure coding practices such as rigorous input validation and sanitation, preferring safe APIs (like `github.com/disintegration/imaging` for image manipulation) over direct system command execution, and refactoring vulnerable code to use `exec.Command` with separate arguments instead of constructing shell strings.
2026-06-16 2026The Government Just Banned an AI Model. An Engineer's Perspective.AISupply ChainAnalysis of Anthropic's AI models Fable 5 and Mythos 5, disabled by government directive due to a jailbreak that unlocked vulnerability detection, highlights supply chain risks for AI vendors and the detrimental impact on defenders when defensive capabilities are banned. The incident underscores the dual-use nature of AI in cybersecurity and the need for nuanced frameworks, not outright bans, to manage risks.
2026-06-15 2026How to Mitigate SSRF Vulnerabilities in GoSSRFTechnique for mitigating SSRF vulnerabilities in Go, focusing on URL parsing and validation, and restricting outbound requests to trusted hosts. It highlights the importance of validating `tenantID` and `fileID` parameters and employing allowlists for destination domains. The resource also mentions leveraging Snyk Code for static analysis to identify and fix such vulnerabilities early in the development process.
2026-06-15 2026Ultralytics AI Pwn Request Supply Chain AttackAIRCESupply ChainAnalysis of the Ultralytics supply chain attack, which occurred in two phases between December 4-7, 2024, details how malicious versions (8.3.41, 8.3.42, 8.3.45, 8.3.46) were published to PyPI. The attack exploited a template injection vulnerability in GitHub Actions workflows, specifically using a `pull_request_target` trigger with unescaped template expressions in a crafted branch name to execute a shell script. This script exfiltrated GitHub tokens, poisoned the pip cache, and injected a Monero cryptocurrency mining payload (XMRig) into the package, impacting users across projects like ComfyUI and Comic-Translate.
2026-06-15 20264 Tips for Securing GenAI-Assisted DevelopmentAIGuide on scaling application security in the age of GenAI, this resource offers four key takeaways from Deloitte and Snyk. It emphasizes implementing developer-first security tools, providing training on responsible AI use, establishing processes that keep pace with increased code volume, and updating policies to align with GenAI tools like GitHub Copilot and Google Gemini Code Assist. The guide aims to help organizations safely integrate and scale AI-assisted development while managing associated security risks.
2026-06-15 2026New Year, New Security Goals: Improve Your AppSec in 2025AISecretsLibrary for improving application security in 2025, focusing on automated vulnerability remediation using tools like Snyk, balancing AI and human expertise for actionable insights, and addressing trust concerns with AI-generated code through integrated security testing. It also highlights securing AI models by protecting training data, monitoring for data drift, and implementing model hardening techniques to mitigate risks like poisoning and adversarial attacks.
2026-06-15 2026Securing the Digital Future: AppSec Best Practices in Digital BankingAPI SecAuthZTalk slides from the Digital Banking Asia Summit 2024 outlining application security best practices for financial services. The presentation highlights key challenges including regulatory compliance, third-party integration, sophisticated attackers, complex architectures, legacy systems, resource limitations, insider threats, and balancing release velocity with security. It also addresses developer-security team disconnects due to lack of shared context, leadership priorities for CTOs and CISOs, and five pillars of success: developer adoption, security trust, effective fix delivery, a comprehensive platform, and a strong partner ecosystem.
2026-06-15 2026Securing GenAI Development with SnykAIEbook detailing how to secure GenAI development with Snyk. It addresses the risks of AI-generated code, where up to 40% from tools like Copilot can contain security flaws, and the speed at which CVEs can be exploited. The ebook explains how Snyk Code, with its DeepCode AI and Snyk Agent Fix, offers in-IDE security, real-time scanning, AI-driven auto-fixing, and faster scans compared to traditional solutions, balancing productivity with robust security for both human-written and AI-generated code.
2026-06-15 2026Snyk Security Labs Testing Update: Cursor.com AI Code EditorSupply ChainAnalysis of Cursor.com AI Code Editor by Snyk Security Labs details testing for dependency confusion vulnerabilities. Researchers uploaded intentionally named packages to the public NPM repository to test if Cursor's build system would mistakenly pull private extensions from the public registry. These packages exfiltrated system details such as username, hostname, and environmental variables to confirm installation. The analysis concluded that Cursor was not vulnerable to dependency confusion and no sensitive data was disclosed.
2026-06-15 2026BFI’s Journey in Digital Transformation: A Fireside Chat on Elevating Application Security and Developer ExperienceAPI SecAuthZTalk at CISO Indonesia 2024 detailing BFI Finance's shift-left security strategy using Snyk. The discussion highlights BFI's transition from reactive pen tests and container scans to proactive measures like pull request scans, in-development code scans, IaC scans for Terraform, and container scans. Key results include zero critical/high production issues, defined patch grace periods, improved developer experience via IDE and CI/CD integration, and enhanced reporting. Lessons learned emphasize cross-team collaboration and cultural transformation for embedding security standards.
2026-06-15 2026Sneak Peek into Fetch the Flag CTF 2025Bug BountyTalksWorkshop slides from Fetch the Flag CTF 2023, featuring challenges like Beep64, Quick Maths, Ominous, GetHub, Sparky, and Bedsheets. This event, hosted by Snyk and John Hammond, offers 20+ hands-on hacking challenges for all skill levels, with prizes including Meta Quest 3S VR headsets. A CTF 101 Workshop is also available on February 13, 2025, for beginners.
2026-06-15 2026Best Practices for Creating a Modern npm Package with Security in MindSupply ChainTutorial on creating modern, production-ready npm packages, covering project setup with GitHub, publishing to the npm registry, and implementing security checks. It details using TypeScript for ECMAScript Module format builds, setting up test frameworks, and automating version management and publishing with GitHub Actions. Key steps include enabling two-factor authentication for npm accounts, using `npm publish --dry-run` to preview publications, and configuring `package.json` for build outputs and included files.
2026-06-15 2026When a Government Pulls an AI Model: What the Fable 5 and Mythos 5 Suspension Means for Security TeamsAIAuthNReference to the suspension of Anthropic's Fable 5 and Mythos 5 AI models due to a government directive prompted by a reported "AI jailbreak" involving code analysis and remediation. The article highlights how this incident mirrors familiar challenges in application security, such as the dual-use nature of tools like port scanners and fuzzers, and contrasts the broad shutdown with established security practices like coordinated disclosure, defense in depth, and risk-based prioritization.
2026-06-14 2026Creating SBOMs with the Snyk CLISupply ChainLibrary for generating Software Bills of Materials (SBOMs) using the Snyk CLI. It supports various programming languages and package managers, creating SBOMs in CycloneDX, XML, or SPDX formats. The Snyk CLI can also scan existing SBOM files for known vulnerabilities and integrates with tools like Bomber for analysis. Automating SBOM generation within CI/CD pipelines is crucial for security, compliance, and transparency.
2026-06-14 2026Consolidate Security Findings with Snyk and Google Security Command CenterAPI SecIntegration between Snyk and Google Security Command Center consolidates application and cloud security findings into a single view. This allows CISOs and security teams to monitor Snyk-detected application vulnerabilities, such as critical issues in open-source libraries within container images, alongside cloud security issues identified by Security Command Center. The integration streamlines risk management, enables near real-time detection, and prioritizes remediation by providing actionable advice from Snyk alongside Google's threat intelligence and Mandiant's expertise.
2026-06-14 2026Do not pass GO - Malicious Package AlertSupply ChainLibrary alert detailing a software supply chain compromise in the BoltDB Go Module. Version 1.3.1, released November 2021, was backdoored and remotely controllable via a command and control server. This typo squatting attack, named github.com/botdb-go/bolt, exploited Go Module Mirror's indefinite caching, allowing the malicious code to persist for years. Socket researchers reported the issue, leading to its removal from Go Module Proxy and GitHub, and inclusion in the Go vulnerability database.
2026-06-14 2026Incorporating security by design: Managing risk in DevSecOpsAPI SecGuide to integrating security by design into DevSecOps, emphasizing proactive risk management by embedding security from initial design and coding through deployment. This approach, which moves beyond traditional "shift-left" security, leverages automated code reviews, threat modeling, and developer-first security tools like Snyk to prevent vulnerabilities, reduce late-stage remediation costs, and ensure resilient software development.
2026-06-14 2026Solving Security Challenges with Snyk Code and Symbolic AIAPI SecLibrary that leverages Symbolic AI for static application security testing (SAST). Snyk Code analyzes code paths to detect vulnerabilities, outperforming traditional pattern-matching methods. It successfully identified open redirects in Python Flask applications, and Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and CRLF injection in Node.js Express applications. Snyk Code not only detects these issues but also offers suggested fixes and contextual best practices.
2026-06-14 2026Can Snyk Detect JWT Security Issues?JWTLibrary that analyzes Node.js applications for insecure JSON Web Token (JWT) usage, specifically identifying the misuse of `jsonwebtoken`'s `jwt.decode()` function, which can lead to broken authentication vulnerabilities. It also flags hardcoded secrets, insufficient logging, lack of rate limiting, and missing token expiration enforcement.
2026-06-14 2026Fetch the Flag CTF 2025 Community WriteupsBug BountyWriteups from the Fetch the Flag CTF 2025 competition offer community insights into solving challenges across web, binary, and exploitation categories. These detailed solutions, alongside an optional CTF 101 workshop for beginners, showcase practical approaches to hacking scenarios and contribute to skill development within the security community.
2026-06-14 2026Learn about API security risks with the new Snyk Learn Learning PathAPI SecLearning path from Snyk Learn addresses the OWASP Top 10 for API security risks. This interactive resource provides developers and security teams with a deep understanding of critical API vulnerabilities and actionable strategies for mitigation. It covers real-world scenarios to fortify API security, complementing existing learning paths on OWASP Top 10 and GenAI & LLM risks.
2026-06-14 2026DevSecOps Automation FrameworkAPI SecFramework for DevSecOps automation that emphasizes shifting security left by integrating automated SAST, SCA, and IaC scanning into CI/CD pipelines. It outlines strategies for implementing repeatable, scalable security practices, detailing how tools like Snyk Code and Snyk Open Source help detect and remediate vulnerabilities in source code and dependencies early, enabling faster, more secure software delivery and compliance with regulations like ISO 27001, SOC 2, and GDPR.
2026-06-14 2026AI Code Generation: Code Security & Quality, Benefits, Risks & Top ToolsAILibrary for scanning AI-generated code, like that from GitHub Copilot or ChatGPT, for security vulnerabilities and quality issues. It acts as an AI security companion, using a hybrid AI approach combining machine learning with human-curated security knowledge to provide real-time identification of risks and actionable fixes, integrating seamlessly into development workflows to ensure secure adoption of AI coding tools.
2026-06-14 2026Snyk Helps Secure the Golang Bento ProjectSupply ChainLibrary contribution that fixes CVE-2025-22869, a denial-of-service vulnerability in golang.org/x/crypto/ssh, within the Golang Bento project. Snyk proactively addressed the issue by updating dependencies to secure versions, demonstrating their commitment to securing open-source projects through their Secure Developer Program.
2026-06-14 2026Snyk and ServiceNow: Streamlining Vulnerability Management with ServiceNow VR Assignment RulesAPI SecBug BountyReference for leveraging ServiceNow Vulnerability Assignment rules to automate the routing of application vulnerabilities. The integration correlates vulnerability data with Configuration Management Database (CMDB) fields, enabling automatic assignment to the responsible developer teams based on application tags. This streamlines remediation workflows and enhances visibility for application security teams and CISOs.
2026-06-14 2026AI Risk Management: Benefits, Challenges, and Best PracticesAILibrary for AI risk management, outlining benefits like enhanced speed and accuracy with tools such as Snyk Code and Snyk AppRisk, which leverage DeepCode AI for vulnerability detection and auto-fixing. It addresses challenges like compliance complexities and tool selection, emphasizing secure-by-design principles and integration into development lifecycles. The library supports adherence to standards like NIST’s AI Risk Management Framework, promoting proactive security measures throughout AI development and deployment.
2026-06-14 2026Responding and remediating: Best practices for handling security alertsBug BountyLibrary for DevSecOps, Snyk automates vulnerability scanning across the SDLC, including source code, open-source dependencies, containers, and infrastructure as code. It leverages a rich vulnerability database to provide contextual information and prioritize issues based on severity and business risk. Snyk Open Source offers advanced software composition analysis to address transitive dependencies, while Snyk Code identifies vulnerabilities, including in AI-generated code, with real-time feedback and fix recommendations. The platform aims to streamline remediation and response efforts, reducing developer friction and improving security outcomes.
2026-06-14 2026Reconstructing the TJ Actions Changed Files GitHub Actions CompromiseSecretsSupply ChainWriteup on the tj-actions/changed-files GitHub Actions compromise, detailing how an attacker leveraged write privileges, orphaned Git commits, and manipulated release tags to inject malicious code. This code then exfiltrated encrypted secrets from memory and leaked them into public GitHub Action logs, impacting approximately 23,000 repositories. The analysis includes steps to recreate the attack and highlights remediation advice for users to review their logs.
2026-06-14 2026Unburdening Developers From Vulnerability Fatigue with Snyk Delta FindingsBug BountyLibrary for the Snyk VS Code extension that enhances developer workflows by introducing "delta findings." This feature allows developers to see only security issues introduced by their current code changes, filtering out noise from the base branch. It supports proactive remediation of vulnerabilities like command injection and cross-site scripting in JavaScript and Python code. The extension integrates with Snyk Code, Snyk Open Source, and Snyk IaC, offering AI-powered auto-fixing and granular filtering by severity and source.
2026-06-14 2026Building a Culture of Secure Coding: Empowering Developers to Build Resilient SoftwareBug BountyLibrary for empowering developers to build resilient software by fostering a secure coding culture. This resource emphasizes hands-on training, real-time feedback through tools like Snyk Code and Snyk Open Source, and integrating security into every development process, including CI/CD pipelines. It advocates for identifying security champions, automating scans, and motivating teams by measuring and celebrating successes, providing actionable insights on common vulnerabilities like the OWASP Top 10.
2026-06-14 2026Overcoming AppSec Challenges in FinServ: How CIBC Balances Speed, Security, and ComplianceBug BountyFireside chat slides from CIBC detailing application security challenges in financial services, including balancing speed with compliance mandates like PCI DSS and SOC 2, the role of AI-driven tools in vulnerability management, and fostering a developer-first security culture. The discussion highlights the importance of continuous monitoring, automation, and developer education to strengthen security posture against cybercrime and data privacy concerns in legacy and modern applications.
2026-06-14 2026CVE-2025-29927 Authorization Bypass in Next.js MiddlewareAPI SecAuthZWriteup of CVE-2025-29927, an authorization bypass vulnerability in Next.js middleware. This critical 9.1 severity flaw affects Next.js versions prior to 15.2.3, 14.2.25, and 13.5.9. Attackers can bypass middleware logic and access protected routes by manipulating the `x-middleware-subrequest` HTTP header. Developers are urged to upgrade Next.js versions or apply firewall rules to mitigate the risk.
2026-06-14 2026Q&A Session with Snyk & John Hammond: Your Fetch the Flag Questions, AnsweredBug BountyTalksWriteup detailing a Q&A session from Snyk's Fetch the Flag CTF, featuring insights from John Hammond and challenge designer Matt Kiely. Topics cover advice for CTF beginners, leveraging Netcat with pwntools, exploiting predictable `Math.random()` in JavaScript, recommended beginner tools like Burp Suite and Snyk Open Source, and solving crypto challenges like "Padding Gambit" via padding oracle attacks. The session highlights practical approaches and tools for cybersecurity enthusiasts.
2026-06-13 2026Snyk Security Solution Now Integrated into Google Cloud's Gemini Code AssistAILibrary integration enables developers to scan code for SAST, SCA, and IaC vulnerabilities directly within Google Cloud's Gemini Code Assist using natural language prompts. This streamlines the application security process by consolidating security checks within the IDE, reducing context switching and accelerating vulnerability detection and remediation with features like Snyk Agent Fix. The partnership allows for secure AI adoption at scale, providing enhanced developer experience and visibility into security risks across the software development lifecycle.
2026-06-13 2026Snyk Ushers in the Future of DAST: AI-Driven Security for the Age of AI-Driven DevelopmentAILibrary for AI-driven dynamic application security testing (DAST), Snyk API & Web, redefines security for modern, AI-powered applications. Integrating Probely's DAST technology into its platform, it addresses complex APIs and Large Language Model (LLM) interactions, expanding coverage for OWASP Top 10 risks like BOLA. The solution offers holistic risk views, developer-first workflows, and synergistic detection by correlating DAST with SAST findings. Its roadmap includes AI-driven API testing and code-informed dynamic testing for enhanced vulnerability management.
2026-06-13 2026Secure AI-Generated Code at Speed with Snyk and ServiceNowAIAPI SecLibrary integration between Snyk and ServiceNow streamlines application security for AI-generated code. This partnership offers developers real-time vulnerability detection and automated fixes for AI-generated code, custom code, and dependencies, reducing mean time to remediate by 84% with Snyk DeepCode AI. ServiceNow's workflows automate task assignment and tracking for AppSec teams, providing broad risk visibility and enabling efficient remediation.
2026-06-13 2026Snyk @ RSAC 2025AIAPI SecLibrary updates from RSAC 2025 highlight Snyk's advancements in application security, particularly concerning generative AI. The conference featured discussions on AI's impact on software security and Snyk's role in developing secure AI. Snyk API & Web received a Global InfoSec Award for Most Innovative API Security and was recognized as one of CRN’s 20 Coolest New Cybersecurity Products. Snyk also joined the Coalition for Secure AI (CoSAI) to promote secure and ethical generative AI development. The company also hosted a "Women Leading Security" panel to foster diversity and inclusivity in the industry.
2026-06-13 2026Introducing the Snyk AI Security PlatformAIPlatform that secures AI-powered development by integrating security directly into AI workflows. It introduces Snyk Assist for real-time secure coding guidance, Snyk Agent Fix for autonomous code remediation, Snyk Studio for integrating security into AI development platforms, and Snyk Guard for adaptive policy enforcement. The platform enhances visibility across AI applications, including API and web app security with AI-powered BOLA detection, and provides intelligent prioritization for identified vulnerabilities.
2026-06-13 2026Welcome to Snyk Labs: Charting the Course for AI-Native SecurityAILibrary for AI-native security, Snyk Labs offers research, technical demos, and prototypes tackling new threats from LLMs and agents. It focuses on AI Security Posture Management (AI-SPM) and developing an AI Bill of Materials (AI BoM), alongside a GenAI Model Risk Registry. Snyk Labs also contributes to LLM security standards with OWASP and participates in initiatives like CoSAI.
2026-06-13 2026Welcome-to-The New Era of AI-Driven DevelopmentAIAnalysis of AI-driven development security risks, including vulnerabilities in AI-generated code (48% of snippets) and issues from open-source AI tools (32% of developers face problems). This piece highlights package hallucination (over 5% of commercial AI code containing fake packages) and emphasizes the need for evolving security practices beyond traditional "shift left" methods to address the accelerated pace and increased risk introduced by AI coding assistants, advocating for the Snyk AI Trust Platform.
2026-06-13 2026AI Is Reshaping Software. Is Your Security Strategy Keeping Up?AIFramework for AI TrustOps, a readiness model evolving DevSecOps to address new risks from AI-generated code, LLMs, and agents, by focusing on governance, secure design, risk assurance, and culture to build and secure software responsibly without slowing innovation.
2026-06-13 2026AI Trust in Action: How Snyk Agent Redefines Secure DevelopmentAILibrary for AI-powered vulnerability remediation that blends hybrid AI with rigorous validation. Snyk Agent Fix combines a fine-tuned LLM with static analysis, including DeepCode AI and CodeReduce, to generate and verify fixes before presenting them to developers, achieving over 80% fix accuracy. It keeps customer code private and offers configurable policies for enterprise-grade security guardrails.
2026-06-13 2026From Risk to Resilience: Achieving HIPAA Standards in Your AppAPI SecTool for achieving HIPAA compliance in application development, Snyk API & Web automates security scanning to identify vulnerabilities like SQL Injection and Cross-Site Scripting (XSS). It supports continuous security testing, encryption, access controls, and audit trails, essential for protecting electronic protected health information (ePHI) and meeting regulatory requirements.
2026-06-13 2026Build Fast, Stay Secure: Guardrails for AI Coding AssistantsAILibrary for integrating security into AI coding workflows, focusing on "guardrails" over restrictions. It highlights Snyk's capabilities, including pull request checks, IDE plugins for real-time scanning and auto-remediation, and conditional access controls via endpoint management tools like Microsoft Intune and Jamf, ensuring secure AI code generation from the start. The approach emphasizes developer-friendly adoption through incentives and education, rather than strict mandates.
2026-06-12 2026The New Threat Landscape: AI-Native Apps and Agentic WorkflowsAISurvey of AI-native application threats including data poisoning, prompt injection, and federated identity gaps, highlighting risks from AI agents and their integration into enterprise software. Discusses vulnerabilities in LLMs and emerging components, the need for secure development workflows, and the challenges in monitoring AI's unpredictable behavior. Mentions Anthropic's Model Context Protocol (MCP) as a standardization effort and Gartner's predictions for AI adoption in enterprise applications and agentic AI integration.
2026-06-12 2026Building AI Trust with Snyk Code and Snyk Agent FixAILibrary for AI-assisted application security, Snyk Code integrates SAST with Snyk Agent Fix, an AI-powered auto-remediation assistant. Snyk Agent Fix generates and validates code fixes autonomously within IDEs and pull requests, boasting 80% accuracy with patented CodeReduce technology. This reduces manual remediation time from hours to seconds, ensuring human- and AI-generated code is secured early in the development lifecycle, with enhanced visibility, prioritization, and policy enforcement capabilities.
2026-06-12 2026Scan your AI-generated code from Cursor using Model Context Protocol (MCP)AILibrary for real-time vulnerability detection within Cursor, leveraging Snyk's CLI MCP server for zero-setup interoperability with AI-generated code. This integration enables immediate identification of security issues in code and open-source packages as they are generated, facilitating agile development cycles without compromising security.
2026-06-12 2026Cursor IDE Malware Extension Compromise in $500k Crypto HeistAISupply ChainWriteup on the Cursor IDE malware extension compromise, detailing how a malicious "Solidity Language" extension distributed via the Open VSX Registry led to a $500,000 cryptocurrency heist. The attack involved the extension executing a PowerShell script to exfiltrate assets after installation.
2026-06-12 2026Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain MalwareSupply ChainWriteup detailing an npm supply chain attack targeting maintainers of popular packages like `eslint-config-prettier` and `eslint-plugin-prettier`. Attackers used typosquatting on `npmjs.com` and spear-phishing to hijack npm registry credentials, leading to the publication of malware-infected versions. Remediation efforts included deprecating malicious packages and publishing fixes. Proactive measures to protect against such attacks include enabling 2FA on npm accounts, using tools like `npq`, and configuring `.npmrc` to ignore postinstall scripts.
2026-06-12 2026When “Private" Isn't: The Security Risk of GPT Chats Leaking to Search EnginesAISecretsWriteup on the security risk of LLM chats, specifically the ChatGPT "discoverable links" feature that unintentionally exposed sensitive user conversations to search engines like Google and Bing in July 2025. This incident, similar to past issues with Google Bard, highlights the dangers of insecure defaults and insufficient UI consent, leading to unintentional exposure of personal data. Mitigation strategies include disabling search engine discoverability by default, improving UI labeling, applying noindex headers, and organizations deploying enterprise-grade LLMs with DLP tools.
2026-06-12 2026Secure at Inception: Introducing New Tools for Securing AI-Native DevelopmentAISupply ChainLibrary introducing three free capabilities to secure AI-native development: Snyk's MCP Server for embedding security into agentic workflows with tools like Cursor and Co-Pilot, Snyk AI-BOM for discovering and governing AI components, and Toxic Flow Analysis (TFA) for detecting novel attack vectors in AI applications, addressing vulnerabilities like prompt injections and MCP rug pulls.
2026-06-12 2026Snyk Supercharges API Discovery with New Akamai IntegrationAPI SecLibrary integration enhancing API discovery by ingesting API inventories and schemas directly from Akamai. This automates the process of providing API specifications for DAST scanning, overcoming the challenge of manual schema management for Snyk customers. Akamai's discovery capabilities, spanning traffic analysis and source code inspection, feed comprehensive data into Snyk API & Web, enabling single-click API scanning and increased coverage. This empowers joint customers to proactively test and remediate API vulnerabilities.
2026-06-12 2026From Ideas to Impact: How the Bay Area Is Shaping the Future of Secure AIAIFramework for AI readiness, developed by Snyk, offers five pillars: visibility, ownership, secure design, cultural enablement, and continuous assurance. This framework addresses the evolving landscape of AI-powered systems, emphasizing shared accountability and the need for integrated security throughout the development lifecycle. Sessions at Snyk's Lighthouse event highlighted practical strategies for agentic app development, real-time risk modeling, and upskilling teams, with live demonstrations showcasing how tools like Cursor and Snyk can reduce security fix times from hours to minutes. The framework aims to accelerate responsible AI adoption by building trust and implementing smart guardrails from the outset.
2026-06-12 2026Meeting the AI Mandates with Confidence: Why Federal Teams Trust SnykAIPlatform for securing AI development by federal agencies, Snyk helps teams meet new mandates by identifying and fixing vulnerabilities at scale. It integrates with existing workflows and provides credible vulnerability intelligence sourced from CVE and CWE. Key features include Snyk Agent Fix for automated remediation, Snyk Assist for real-time developer support, and support for AIBOMs and Toxic Flow Analysis to address complex AI-specific vulnerabilities like indirect prompt injection.
2026-06-12 2026Agentic Container Security with Snyk MCP ServerAISupply ChainLibrary for agentic container security, Snyk MCP Server simplifies vulnerability scanning by integrating with AI coding assistants and IDEs. This tool addresses container security challenges by enabling "shift left" practices, allowing developers to identify and fix Common Vulnerabilities and Exposures (CVEs) and operating system vulnerabilities before committing code. Snyk MCP Server supports scanning container images for OS vulnerabilities and vulnerable open-source application packages, and can be configured within tools like Cursor and Copilot.
2026-06-12 2026AI Agents in Cybersecurity: Revolutionizing AppSecAIFramework for integrating AI agents into cybersecurity operations, detailing their autonomous decision-making, continuous learning, and multi-modal data processing capabilities. It contrasts AI agents with traditional AI, highlights their role in transforming threat detection and incident response, and addresses implementation challenges like blind spots and explainability, referencing frameworks like BDI, Langchain, and CrewAI to foster human-AI collaboration.
2026-06-12 2026Prioritize with Snyk’s Open Source Vulnerability ExperienceSupply ChainLibrary view in Snyk's UI prioritizes open source vulnerability remediation by grouping issues by dependency. This new default view allows users to evaluate the holistic impact of library upgrades, moving beyond individual vulnerability fixes. It aids in making informed decisions by presenting a cost/benefit analysis of resolving multiple vulnerabilities with a single version update, supporting workflows for Maven, .NET, npm, Python, Ruby, and Yarn projects.
2026-06-12 2026Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security IncidentAISupply ChainAnalysis of the Nx malicious package incident, detailing how threat actors weaponized AI coding agents like Claude Code, Gemini CLI, and Amazon's q with dangerous flags to exfiltrate secrets, credentials, and sensitive data via public GitHub repositories. The attack exploited a flawed GitHub Actions CI workflow and a compromised npm token to inject malware into eight Nx and Nx Powerpack releases on npm, impacting the Nx Console VS Code extension as well.
2026-06-11 2026What an 'Aha' Moment with an Org Admin Token Taught One DevSecCon Speaker About AI SecurityAISupply ChainTalk slides from DevSecCon 2025 detail securing AI-native development pipelines, focusing on the risks introduced by agentic AI and MCP servers. The session highlights the vulnerability of using Org Admin Tokens with GitHub MCP servers, which could lead to extensive data compromise, and proposes a security checklist for these AI tools. Attendees will learn that AI integration into pipelines demands security scrutiny comparable to traditional code and tools, benefiting Platform Engineers, DevOps Engineers, Developers, and Security Professionals.
2026-06-11 2026npm Supply Chain Attack via Open Source maintainer compromiseSecretsSupply ChainWriteup of an npm supply chain attack where a maintainer of popular packages was compromised via phishing. The attacker gained control of the npm account and published malicious versions of packages, targeting crypto transactions by intercepting and modifying ETH values and swap/transfer requests. Affected packages and versions were identified, and a Sindre Sorhus script was provided for checking dependency trees.
2026-06-11 2026Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain AttackSecretsSupply ChainAnalysis of the "Shai-Hulud" npm supply chain attack reveals widespread compromise of packages like `@ctrl/tinycolor` and `ngx-bootstrap`. This worm-like malware targets cloud credentials, API keys, and CI/CD environments via malicious `postinstall` scripts embedded in compromised packages, exfiltrating secrets through webhooks and GitHub Actions. The attack affected multiple package namespaces and versions, necessitating comprehensive credential rotation and system audits for affected hosts.
2026-06-11 2026Secure Your AI Workflows: New Governance & Visibility Features from SnykAIPlatform features enhance AI workflow security by providing governance and visibility. The Ignore Approval Workflow allows developers to request findings bypass while AppSec teams maintain oversight. CLI Upload persists local scan results for comprehensive risk tracking. Group by Dependency View aids vulnerability prioritization by consolidating issues per dependency. The Export API integrates Snyk data into internal systems for reporting, and Agent Usage to IDE reports track AI coding assistant utilization across environments. New Snyk Learn Reports measure developer education program effectiveness.
2026-06-11 2026Malicious MCP Server on npm postmark-mcp Harvests EmailsSupply ChainLibrary for detecting malicious npm packages, specifically highlighting the `postmark-mcp` package which was modified to exfiltrate email contents via a blind-copy (BCC) to an external domain. This supply chain attack targeted an MCP server, potentially exposing sensitive data and leading to follow-on compromises. Immediate mitigation includes uninstalling the package, rotating credentials, and blocking the reported exfiltration domain. The companion `mcp-scan` tool is recommended for identifying such risks.
2026-06-11 2026Phishing Campaign Leveraging the NPM EcosystemSupply ChainLibrary of obfuscated JavaScript payloads and HTML lure files used in a phishing campaign that weaponized the npm ecosystem and the unpkg.com CDN. The attack involved publishing over 175 npm packages with names like `redirect-[a-z0-9]{6}` and a separate cluster using `mad-x.x.x.x.x.x` names. These packages, served via unpkg.com, redirected victims to credential-harvesting sites after opening crafted HTML "business documents," targeting enterprise employees primarily in Europe.
2026-06-11 2026Beyond the Hype: 5 Major Reasons to Attend DevSecCon 2025AIWorkshop slides from DevSecCon 2025 covering AI's impact on software development, including securing AI-generated code, empowering developers with guardrails, proving program success through metrics, and extending security to AI-powered applications like LLMs and agents. The event aims to equip leaders with strategies for scaling businesses securely in the age of AI.
2026-06-11 2026Snyk and Cognition partner to enhance security for AI-native developmentAILibrary integrations, Snyk for Devin and Snyk for Windsurf, embed Snyk Studio's security intelligence into Cognition's AI-native developer tools. These integrations offer real-time security scanning within development workflows, enabling accelerated agent-led remediation by AI agents like Devin and Windsurf. This partnership aims to scale security processes alongside AI-driven development velocity, reducing security backlogs and improving resource allocation by automating routine fixes.
2026-06-11 2026Why We Built Evo — From My HeartAILibrary: Evo by Snyk is the world's first Agentic Security Orchestrator, designed to address the evolving security challenges posed by AI-native systems. It proactively defends against threats like model supply chain attacks, memory abuse, prompt manipulation, and agent escalation. Evo observes AI attack surfaces, orients risk with contextual intelligence, and automatically enacts response plans using specialized AI security agents. This approach aims to integrate security seamlessly into AI development, enabling innovation without compromising safety.
2026-06-11 2026DevSecCon 2025 Recap: Securing the AI Revolution TogetherAILibrary for securing AI-accelerated DevSecOps, focusing on shifting security left to the developer's first prompt. It introduces capabilities for improved IDE and pull request experiences, enhanced asset visibility and risk-based prioritization for AppSec teams, and a new dependency view in Snyk Open Source. The library also details Evo by Snyk, an agentic security orchestration system for AI-native applications, and highlights a partnership with Cognition to embed security intelligence directly into AI workflows.
2026-06-11 2026Snyk Studio: Now for All Customers, Powering Secure AI Development at ScaleAILibrary for securing AI-driven development, Snyk Studio now empowers all customers with enterprise-wide rollout capabilities via Jamf and a VS Code extension. It embeds security intelligence directly into AI coding assistants like Cursor and Copilot, enabling "Secure at Inception" through automatic code scanning and remediation directives for new code. This approach aims to prevent vulnerabilities from being introduced and addresses existing security debt through conversational remediation, significantly accelerating backlog clearance.
2026-06-11 2026The Agentic OODA Loop: How AI and Humans Learn to Defend TogetherAILibrary Evo functions as an agentic security orchestrator, enabling human and AI collaboration to defend agentic systems at machine speed. It embodies the OODA loop by perceiving AI architecture, reasoning about risks, orchestrating security workflows, and learning continuously from human engineers and system behavior. Evo amplifies AI Security Engineers, reducing time spent on tactical tasks like scanning models and correlating alerts, allowing them to focus on strategic work and apply lessons automatically across systems.
2026-06-11 2026Secure by Design: The Future of Threat Modeling for AI-Native ApplicationsAILibrary for continuous, automated threat modeling of AI-native applications, including LLMs and autonomous agents. Evo by Snyk directly connects to code, cloud infrastructure, and runtime data to generate dynamic system models that update with software evolution, eliminating drift. It provides contextual, actionable mitigations for vulnerabilities such as prompt injection, data exfiltration via AI models, and data poisoning, integrating into CI/CD pipelines for a secure-by-design workflow.
2026-06-11 2026Automated Package-Publication Incident IndonesianFoods in the NPM Ecosystem Linked to Crypto Reward-Farming ScamSupply ChainLibrary for detecting automated package publication incidents in the NPM ecosystem, like the "IndonesianFoods" campaign, which involved bulk publishing of low-download packages, often reusing code templates, linked to cryptocurrency reward schemes. It emphasizes automated dependency-health guards, behavior-based scanning, and registry monitoring to proactively flag suspicious activity before it enters the build, referencing tools such as Snyk Open Source and Snyk Code.
2026-06-10 2026Snyk and Continue Partner to Embed AI-Powered Security into Every Step of the Developer WorkflowAILibrary integrating Snyk and Continue automates security scans for code, dependencies, IaC, and containers using natural language commands within the developer workflow. This partnership enables faster vulnerability remediation through AI-generated, validated code fixes and proactive policy enforcement, allowing developers to address security without context switching. The integration supports Snyk's SAST, SCA, and IaC security tools directly in IDEs and CLIs, aiming to make "secure by default" a reality.
2026-06-10 2026Beyond Automation: Securing Low-Code Agentic AI with MCP GuardrailsAILibrary for securing low-code agentic AI, MCP Guardrails standardizes AI agent interaction with external tools via the Model Context Protocol (MCP). It incorporates a scanner layer for validating code, data, and commands, and an observability layer for comprehensive logging and traceability. This approach, supported by Toxic Flow Analysis (TFA), integrates static configuration data with dynamic runtime information to proactively detect vulnerabilities and mitigate risks like indirect prompt injection in autonomous AI systems.
2026-06-10 2026Why Threat Modeling Is Now Even More Critical for AI-Native ApplicationsAIReference of AI-native threat modeling practices, emphasizing the shift from manual, static workshops to continuous, adaptive processes. It details new attack surfaces like data poisoning and adversarial attacks, the unpredictable behavior of AI models, and the challenges of rapid deployment cycles, regulations like the EU AI Act, and complex ecosystems. The article advocates for automated asset discovery, dynamic risk modeling, and integrated remediation to maintain security posture at the speed of AI development.
2026-06-10 2026How Snyk Studio for Qodo Is Closing the AI Security GapAILibrary integrating Snyk's security intelligence with Qodo's Agentic Code Quality Platform. Snyk Studio for Qodo embeds security directly into the AI development workflow, leveraging Snyk's SAST and SCA engines. This allows developers to identify and fix vulnerabilities as they code within their IDE. The solution also addresses existing security debt through natural language prompts and automated remediation, aiming to resolve issues in minutes and accelerate secure AI-driven development at scale.
2026-06-10 2026Scaling AI Security: How Evo Complements New Agentic ToolsAILibrary for scaling AI security, Evo by Snyk, complements agentic tools like OpenAI's Aardvark by offering stable, reproducible findings and integrating security earlier in the development lifecycle. It provides multi-layer AI threat detection, mature dynamic testing (DAST) and software composition analysis (SCA) engines, and native governance features to support enterprise workflows and compliance without unpredictable token-based costs.
2026-06-10 2026SHA1-Hulud, npm supply chain incidentSupply ChainWriteup of the SHA1-Hulud npm supply chain incident, a worm that infiltrates npm packages with hidden preinstall scripts. This advanced second wave of the Shai-Hulud attack targets developers and CI systems, deploying payloads that turn compromised machines into attacker-controlled GitHub Actions runners. It silently injects malicious workflows, exfiltrates GitHub and npm secrets, and harvests cloud credentials from AWS, Azure, and GCP, enabling remote command execution and broad system compromise. Some variants include destructive wiper capabilities.
2026-06-10 2026Snyk Log Sniffer: AI-Powered Audit Log Insights for Security LeadersAITool for AI-powered analysis of Snyk audit logs, transforming raw data into actionable intelligence for security and engineering leaders. Log Sniffer leverages Google Gemini AI to provide executive summaries, answer security questions in natural language, and monitor audit events in real-time. It seamlessly integrates with the Snyk API, offering intelligent filtering and transforming complex security events into understandable insights, improving decision-making and risk mitigation.
2026-06-10 2026When Speed Meets Security: Snyk Studio for KiroAILibrary integration embedding Snyk Studio into Amazon Kiro’s agentic IDE, allowing developers to prevent new security risks at inception. This integration runs `snyk_code_scan` for generated code, attempts fixes with context from Snyk scans, and rescans to ensure resolution. It also addresses existing vulnerabilities through natural language prompts, identifying issues across code, dependencies, and IaC, then validating AI-generated fixes.
2026-06-10 2026Run AutoMCP To Supercharge Your AI Agent with Libraries MCP ServersAITool for automating Model Context Protocol (MCP) server setup in AI-driven development environments. AutoMCP, an npm command-line tool, detects coding tools and project dependencies to configure MCP servers, enabling AI agents to autonomously run Snyk scans for early vulnerability detection. This integration, facilitated by Snyk Studio, embeds security directly into AI-assisted workflows, ensuring both human-written and AI-generated code is secure.
2026-06-10 2026Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE-2025-55182)DeserRCEAdvisory detailing CVE-2025-55182, a critical RCE vulnerability affecting React 19 and Next.js versions through unsafe deserialization in the React Server Components (RSC) "Flight" protocol. Exploitation requires a single crafted HTTP request and impacts any framework embedding RSC, including Vite and Parcel plugins. Immediate patching of React and Next.js is recommended, alongside validation of third-party frameworks and implementation of defense-in-depth controls like runtime sandboxing and WAF rules.
2026-06-10 2026How Snyk Helps Federal Agencies Prepare for the Genesis Mission Era of AI-Driven ScienceAISupply ChainLibrary for securing AI-driven scientific missions, Snyk provides federal agencies with visibility into open source libraries, containers, and IaC templates within their software supply chains. It integrates security into CI/CD, model-training, and data pipelines, catching vulnerabilities and misconfigurations before deployment. The platform also addresses cloud and container security for AI compute systems, detecting misconfigurations and securing container images. By embedding security directly into developer workflows with automated fix recommendations and IDE plug-ins, Snyk operationalizes "secure by design" principles to accelerate discovery without compromising trust, aligning with federal expectations like Secure by Design, NIST 800-218, and EO 14028.
2026-06-10 2026Old AI Security vs Evo: Watch Agentic Security Replace Weeks of Manual WorkAILibrary for agentic AI security orchestration, Evo by Snyk, addresses emergent threats like prompt injection, data poisoning, and supply chain risks inherent in AI-native applications. It automates security workflows, including AI Bill of Materials (AI-BOM) generation, MCP Scan CLI for identifying risky components, and continuous AI red teaming to keep pace with evolving AI systems, contrasting with traditional, manual application security methods.
2026-06-10 2026Evo Adds CycloneDX Support to Give Full AI VisibilityAISupply ChainLibrary extending CycloneDX support to provide AI supply chain visibility. Evo's Discovery Agent now integrates with CycloneDX 1.6 AI ModelCards, enabling standardized AI-BOMs that detail model provenance, licensing, architecture (transformer, CNN), learning approach (supervised, self-supervised), and implementation paths. This addresses visibility gaps by offering a centralized inventory, tracking model origins from sources like HuggingFace, and providing granular insights into model type and task domain, making AI governance actionable.
2026-06-10 2026The Holiday Whisper: Shai-Hulud 3.0Supply ChainAnalysis of Shai-Hulud 3.0, also known as "The Golden Path," reveals an evolved malware variant discovered in the `@vietmoney/react-big-calendar` npm package (version 0.26.2). This iteration focuses on stealth and cross-platform compatibility, refining its logic and re-obfuscating code from source to evade detection. Key technical details include targeted exfiltration to GitHub repositories with a specific description and improved error handling. Attackers are leveraging the holiday period and a transition to "trusted publishing" in the npm ecosystem. Recommended actions focus on structural hardening, such as disabling lifecycle scripts, enforcing lockfile-only installs, implementing cooldown periods for package adoption, and auditing outbound egress.
2026-06-10 2026Secure by Default: Why Snyk and Augment Code are the New Standard for AI DevelopmentAIPartnership between Snyk and Augment Code that embeds Snyk's security intelligence into Augment Code's AI development platform. This integration provides real-time security scanning as developers write code, accelerated agent-led remediation for identified vulnerabilities, and governance at scale through custom Snyk rules applied to AI-generated code. The solution aims to make "Secure by Default" a reality for AI-driven development, reducing mean time to remediate and eliminating security as a manual bottleneck.
2026-06-10 2026Beyond Detection: Building a Resilient Software Supply Chain (Lessons from the Shai-Hulud Post-Mortem)Supply ChainLibrary offering a multi-layered defense strategy for software supply chains, inspired by the Shai-Hulud npm incident. It focuses on proactive prevention with features like Snyk Studio for AI-assisted secure coding, a 21-day dependency upgrade cooldown, and Package Health Intelligence. Detection mechanisms include proactive retesting and shift-left defense with Snyk CLI. Remediation is facilitated by assessing risk exposure, zero-day visibility, and workflow automation for ticket creation, ensuring organizations can react to emerging threats like compromised credentials and malicious exfiltration scripts.
2026-06-10 2026ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec FoundationsAIAuthNAuthZLibrary for securing agentic AI applications, emphasizing foundational application security alongside AI-specific controls. It highlights the ServiceNow Virtual Agent vulnerability, stemming from broken API authentication and excessive agent privileges, not novel AI issues. The library recommends a layered approach including agent-aware threat modeling to identify risks before deployment, DAST with LLM-enhanced authorization testing to detect classic vulnerabilities, and AI red teaming to reveal catastrophic impact paths enabled by autonomous agents. It stresses principles like least privilege and strong API identity verification for comprehensive AI security.
2026-06-10 2026Live From Davos: The End of Human-Speed SecurityAIReport detailing "The End of Human-Speed Security: Defense in the Age of AI Agents" highlights the rapid shift to AI operating as quasi-autonomous agents, with 50% of security leaders reporting this reality. It discusses the weaponization of AI, citing state-backed attacks on Anthropic, and the resulting "visibility crisis" where AI adoption often occurs outside monitored systems. The report calls for industry standards and a move beyond manual security processes to address challenges posed by autonomous attacks and achieve machine-speed defense.
2026-06-10 2026Introducing the AI Security Fabric: Empowering Software Builders in the Era of AIAILibrary for securing applications in the age of AI, the Snyk AI Security Platform operationalizes a prescriptive path. It addresses AI-accelerated DevSecOps by fortifying traditional software supply chains, secures AI-driven development by embedding security into coding assistants like Snyk Studio, and defends AI-native applications with the agentic security orchestrator Evo by Snyk. This unified approach weaves security directly into every stage of modern software creation, adapting to dynamic systems and operating at machine speed to build trust and mitigate risks introduced by AI.
2026-06-10 2026The Prescriptive Path to Operationalizing AI SecurityAIFramework for operationalizing AI security, the Prescriptive Path provides an opinionated operating model with three phases: Stabilize, Optimize, and Scale. It focuses on building trust, reducing real risk, and sustaining governance by emphasizing outcomes over individual tools or checklists. The path guides organizations on how to apply security capabilities deliberately, from achieving foundational visibility and implementing guardrails for AI-generated code, to accelerating remediation and enabling autonomous defense in AI-native systems.
2026-06-10 2026Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain CompromiseAISupply ChainLibrary for identifying malicious AI Agent Skills; scanned 3,984 skills from ClawHub, finding 13.4% with critical flaws like malware and prompt injection. Detectors achieved 90-100% recall on confirmed malicious skills with 0% false positives on legitimate ones, utilizing the mcp-scan engine. Techniques observed include external malware distribution, obfuscated data exfiltration, and security disablement.
2026-06-09 2026280+ Leaky Skills: How OpenClaw & ClawHub Are Exposing API Keys and PIIAISecretsLibrary of scripts for detecting security flaws in AI agent skills, specifically addressing how popular tools like OpenClaw and ClawHub can inadvertently expose API keys and PII. Researchers found 283 vulnerable skills in the ClawHub marketplace, detailing flaws in specific examples such as `moltyverse-email`, `buy-anything`, `prompt-log`, and `prediction-markets-roarin`. These vulnerabilities stem from instructions that lead agents to mishandle secrets by passing them through LLM context windows or outputting them in plaintext logs. The library includes tools like `mcp-scan` and `Snyk AI-BOM` for auditing and remediation.
2026-06-09 2026How a Malicious Google Skill on ClawHub Tricks Users Into Installing MalwareAISupply ChainLibrary for securing AI agents, focusing on the "google-qx4" malicious Google Skill on ClawHub that tricked users into installing malware via social engineering in the SKILL.md file. This technique bypasses traditional AppSec by leveraging agent-driven social engineering and legitimate-looking hosts like Rentry and GitHub, confirming "ToxicSkills" research predictions. It offers solutions like `mcp-scan` for skill analysis and Snyk AI-BOM for inventory, with Evo by Snyk providing AI-native security to monitor agent behavior and prevent malicious command execution.
2026-06-09 2026Why Your “Skill Scanner” Is Just False Security (and Maybe Malware)AISupply ChainLibrary for AI agent security, mcp-scan (part of Snyk's Evo platform), uses a specialized LLM to understand the intent and capabilities of SKILL.md files beyond simple keyword matching. Unlike traditional regex-based scanners that fail against natural language variations, prompt injection, and contextual risks, mcp-scan performs behavioral analysis to detect malicious actions such as data exfiltration or attempts to override safety instructions. This AI-native approach aims to provide more robust security than tools like SkillGuard, Skill Defender, and Agent Tinman which have shown limitations.
2026-06-09 2026From Acceleration to Exposure: Why AI Demands Mature AppSecAILibrary: This article discusses how immature application security practices, when combined with AI-driven development, scale existing risks and amplify exposure. Autonomy in AI systems leads to rapid compounding of errors in code, dependencies, and configurations, outstripping traditional visibility and detection methods. Mature AppSec, focusing on enforceable policies and continuous assurance, enables organizations to safely leverage AI's acceleration without sacrificing oversight or trust, transforming potential liabilities into genuine accelerators.
2026-06-09 2026The Future of AI Agent Security Is GuardrailsAILibrary for AI agent security, it advocates for "guardrails" as the future of protecting autonomous agents from unintended actions like credential exfiltration or unauthorized command execution. Instead of focusing on smarter models, this approach implements security checkpoints within the agent's execution pipeline. These checkpoints, including access hooks for least privilege, pre-execution hooks for sanitizing tool calls (preventing prompt injection and enforcing input validation), and post-execution hooks for filtering LLM output, act as a dynamic defense against vulnerabilities exposed by agentic AI, exemplified by issues seen with OpenClaw.
2026-06-09 2026Weaving Security into the Flow: New Snyk Studio Capabilities Power the AI Security FabricAILibrary enhancing Snyk Studio provides capabilities for securing AI-driven development, integrating with tools like Gemini CLI and Claude Code. It offers streamlined setup, real-time security guardrails, and introduces Remediation Directives for automated pull requests to fix vulnerabilities. New governance and control features, including an Adoption report, allow enterprises to manage and scale AI development securely, creating an AI Security Fabric.
2026-06-09 2026Securing the Agent Skill Ecosystem: How Snyk and Vercel Are Locking Down the New Software Supply ChainAISupply ChainLibrary for securing agent skill ecosystems, this resource details Snyk's integration with Vercel's skills.sh marketplace to perform automated security analysis on AI agent skills. It employs a deep multi-layer approach using LLM-based judges and deterministic rules to detect vulnerabilities in both code and natural language instructions, identifying "toxic flows" and prompt injection. The system aims for high recall on malicious skills with zero false positives, providing a "Security Verified" badge on skill pages and enabling continuous monitoring of the evolving threat landscape.
2026-06-09 2026How “Clinejection” Turned an AI Bot into a Supply Chain AttackAISupply ChainWriteup detailing the "Clinejection" vulnerability chain, which leveraged indirect prompt injection against an AI triage bot and GitHub Actions cache poisoning to enable supply chain attacks. This exploit, discovered by Adnan Khan, allowed an attacker to gain access to production credentials and publish a malicious version of the Cline CLI to npm, installing the OpenClaw AI agent. The analysis highlights how combined vulnerabilities, including credential model weaknesses and dangling commits, can create significant risks in CI/CD pipelines, emphasizing the need for robust security collaborations.
2026-06-09 2026Claude Code Security: A Welcome Evolution in the Remediation LoopAILibrary that unifies LLM-native capabilities with deterministic validation and operational automation to address the evolving application security landscape. It combines AI reasoning for discovery with robust enforcement mechanisms, addressing vulnerabilities introduced by AI-assisted development, including injection risks and business logic flaws. The library facilitates AI-accelerated DevSecOps, secures AI-driven development workflows through automated remediation directives, and extends protection to AI-native applications with visibility and policy enforcement, aiming to close the detection-to-remediation loop reliably.
2026-06-09 2026Fetch the Flag CTF 2026: Official Challenge Write-Ups & Community HighlightsAIBug BountyTalksWriteups from the Fetch the Flag CTF 2025 showcase community solutions to over 30 web, binary, and exploitation challenges. These community-sourced insights offer practical approaches to tackling diverse hacking scenarios, complementing official challenge write-ups and a CTF 101 workshop for newcomers. The event featured challenges like VulnScanner, Plantly, and Echo, fostering skill development and engagement for thousands of global participants.
2026-06-09 2026Snyk and uv, Better TogetherAIPythonLibrary that pairs uv, a high-performance Python package manager, with Snyk for application security. This integration enables native CycloneDX SBOM export from uv, allowing Snyk to scan dependencies for vulnerabilities and license compliance. The partnership also introduces native uv support within the Snyk CLI and IDE integrations, aiming to provide built-in security for AI-native Python applications, ensuring speed and security are not mutually exclusive.
2026-06-09 2026The Rise of the AI Security Engineer: A New Discipline for an AI-Native WorldAISurvey of emergent AI security roles, detailing the responsibilities and required mindset for an AI Security Engineer. This discipline addresses novel threats like prompt injection, memory exploitation, model poisoning, and agent hijacking, which challenge traditional security models due to AI's non-deterministic nature. It advocates for an adaptive, builder-defender approach operating at machine speed to secure AI-native systems and build trust.
2026-06-09 2026The 89% Problem: How LLMs Are Resurrecting the "Dormant Majority" of Open SourceSupply ChainDatabase of package health data that bridges the gap between open source intelligence and package health, providing developers and AI agents with data points on security, popularity, maintenance, and community engagement. This database helps identify risks associated with the "Dormant Majority" of abandoned open source projects, which AI systems may recommend due to training data biases. It aids in preventing insecure package selections, such as the archived `gorilla/sessions` package, and mitigates risks like AI package hallucinations and slopsquatting by enforcing dependency safety at introduction.
2026-06-09 2026Securing the Agent Skills Registry: How Snyk and Tessl Are Setting the StandardAILibrary for scanning agent skills in the Tessl Registry, integrating Snyk's security analysis to detect prompt injection, malware, and toxic flow patterns. This partnership provides real-time security scores on skill pages and search results, addressing the unique risks of agent skills by analyzing natural language instructions alongside code. The system automatically scans new skills and backfills existing ones, offering developers visibility into potential vulnerabilities before installation, inspired by Snyk's research into malicious skills and Snyk Learn lessons on agent goal hijack.
2026-06-09 2026I Read Cursor's Security Agent Prompts, So You Don't Have ToAILibrary providing open-source prompts for autonomous AI security agents, capable of reviewing thousands of pull requests weekly and identifying hundreds of vulnerabilities. The prompts emphasize a clear role assignment, goal, methodology, and priority list, demonstrating that concise instructions can drive effective security reviews. This approach leverages LLMs' understanding of common vulnerabilities like SQL injection and unsafe deserialization, integrating them into production-grade agent orchestration platforms for enhanced security scanning.
2026-06-09 2026AI Is Building Your Attack Surface. Are You Testing It?AILibrary for intelligent dynamic testing that addresses the unique security challenges posed by AI-generated code and AI agents. It focuses on confirming real exploitability, specifically targeting flaws like BOLA and IDOR in APIs accessed by agents, and correlates static analysis findings with dynamic testing results to prioritize high-confidence fixes. The library aids in discovering undocumented API endpoints and provides continuous coverage within the development pipeline, aiming to distinguish actual vulnerabilities from noise and enable developers to ship code with confidence.
2026-06-09 2026The Next Era of AppSec: Why AI-Generated Code Needs Offensive Dynamic TestingAILibrary for advanced dynamic security testing, integrating code-level intelligence with runtime interaction. This approach moves beyond traditional SAST and DAST by combining static code analysis, even agentic AI-driven analysis, with the ability to observe and exploit vulnerabilities in live, distributed systems. It enables grey-box testing, correlating runtime exploitability with precise code-level origins for faster remediation, and is crucial for identifying emergent threats in AI-generated code and complex microservice architectures.
2026-06-09 2026Introducing Agent SecurityAILibrary for securing AI agents, Evo AI-SPM provides visibility, intelligence, and enforcement across the AI lifecycle. It discovers AI components in code and workflows, assesses associated risks, and enables policy enforcement to prevent unsafe configurations and behaviors. Features include Agent Scan for vetting agent dependencies, Snyk Studio for securing AI-generated code, Agent Guard for real-time behavior monitoring, Agent Red Teaming for attack simulation, and Snyk API & Web for dynamic testing against vulnerabilities like BOLA.
2026-06-09 2026How a Poisoned Security Scanner Became the Key to Backdooring LiteLLMPythonRCESupply ChainLibrary containing a backdoor that exploited Trivy security scanner vulnerabilities to compromise LiteLLM Python packages, specifically versions 1.82.7 and 1.82.8. The malicious code was delivered via direct source injection or a `.pth` file, leading to credential theft, data exfiltration using AES-256 and RSA encryption, and persistence through systemd services and Kubernetes lateral movement. This attack chain is linked to the threat actor TeamPCP, identified by consistent infrastructure and an RSA public key shared with prior Trivy and KICS compromises.
2026-06-09 2026From Discovery to Defense: Why AI Red Teaming Is the Next Step After AI-SPMAILibrary of techniques for AI Red Teaming and Dynamic Security Testing (DAST), emphasizing their convergence. This approach combines the exhaustive nature of traditional DAST with the contextual reasoning of AI-driven pentesting, enabling the discovery of complex business logic flaws and authorization issues that arise from inter-component interactions or emergent AI behaviors like prompt injection. By correlating runtime exploitability with source code context, this library facilitates more accurate vulnerability identification and streamlined remediation, moving beyond static analysis limitations.
2026-06-09 2026Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RATRCESupply ChainLibrary that details a supply chain attack on the popular npm package `axios`. Malicious versions, `1.14.1` and `0.30.4`, were briefly published, including a hidden dependency `plain-crypto-js` which deployed a cross-platform RAT. The attack leveraged a compromised maintainer account and a purpose-built malicious dependency with a postinstall script that obfuscated its presence and delivered platform-specific payloads for macOS, Windows, and Linux.
2026-06-08 2026Building AI Security with Our Customers: 5 Lessons from Evo’s Design Partner ProgramAILibrary for securing generative AI, Evo AI-SPM, addresses AI sprawl and shadow AI through its Discovery Agent, which uncovers models and agents. It features Custom Discovery to detect bespoke AI implementations invisible to standard tools, and Snyk Generated Policies offering out-of-the-box, continuously enforced policies for governance. The Risk Intelligence Agent provides actionable risk signals for AI models, agents, and MCP servers, while the Policy Agent enables CI/CD pipeline enforcement and operational security for AI components.
2026-06-08 2026You Patched LiteLLM, But Do You Know Your AI Blast Radius?AILibrary for understanding AI system blast radius; it maps model gateways like LiteLLM, identifying routed providers and models, connected tools, APIs, and agent workflows to reveal unseen risks beyond traditional dependency analysis, enabling better incident response by showing what the compromised component actually accessed.
2026-06-08 2026Secure What Matters: Scaling Effortless Container Security for the AI EraAILibrary enhancements from Snyk Container streamline inventory management with automated registry monitoring and customizable import/pruning rules. New beta features offer a unified platform experience, prioritize vulnerabilities based on runtime intelligence from third-party signals, and provide flexible support for multiple profiles in complex environments. These updates bolster security for the AI era by providing scalable visibility and automated remediation at the speed of agentic AI.
2026-06-08 2026Governing Security in the Age of Infinite Signal – From Discovery to ControlAIAnalysis of AI's impact on application security, particularly the capabilities of Anthropic's Claude Mythos for vulnerability discovery. The article emphasizes the shift from mere detection to essential control and governance, highlighting that AI's advanced reasoning abilities do not replace the need for deterministic enforcement, consistent policies, and auditable risk. It argues that enterprises must focus on controlling AI-generated code and the AI tools themselves within the software supply chain, integrating AI models, deterministic rulesets, and human expertise for a comprehensive security posture.
2026-06-08 2026Hardcoding Security into Every Commit: The Future of Snyk SecretsSecretsLibrary for detecting hardcoded secrets, designed to prevent "secret sprawl" and mitigate risks associated with AI-generated code and autonomous agents. It utilizes AI-powered, high-precision detection combining semantic and contextual analysis with custom regex. The library shifts left by integrating with IDEs and CLIs for real-time prevention, scans PR checks for merge-time detection, and offers unified reporting and ignore approval workflows within Snyk's broader AI Security Platform, addressing vulnerabilities exemplified by the ServiceNow Bodysnatcher incident.
2026-06-08 2026Introducing the New Agentic Architecture for Snyk Agent Fix: Faster, Smarter, and More SecureAILibrary for Snyk Agent Fix utilizing an agentic architecture, moving from static fine-tuning to dynamic few-shot prompting. This approach integrates Snyk's security intelligence, including a database of over 35,000 vulnerabilities and expert-written fixes, with frontier models like Anthropic's. Benchmarking focuses on security integrity (Pass@1/Pass@5), functional logic, and golden tests. The system supports agentic retries to adapt responses based on initial failures and offers full language coverage for all Snyk Code-supported languages, enabling faster, more secure code remediation.
2026-06-08 2026Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptominingAuthNRCELibrary detailing two authentication bypass vulnerabilities in Qinglong (CVE-2026-3965, CVE-2026-4047) that enabled unauthenticated remote code execution, exploited for cryptomining. It covers how attackers reset credentials or directly bypassed authentication via case-sensitive path matching, then injected scripts to download and run a cryptominer binary. The article emphasizes auditing middleware, treating self-hosted panels as attack surfaces, monitoring resource usage, and keeping Docker images updated.
2026-06-08 2026Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data EngineersSecretsSupply ChainLibrary for detecting and mitigating supply chain attacks, exemplified by the malicious elementary-data PyPI package compromise. The attack vector exploited a GitHub Actions script injection flaw to publish a credential-stealing package containing a disguised Python `.pth` file. This payload harvested sensitive data including cloud credentials (AWS, GCP, Azure), SSH keys, container secrets, cryptocurrency wallets, and system files, exfiltrating them to a C2 server.
2026-06-08 2026Don't Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478)SSTIWriteup of CVE-2026-40478, a critical Thymeleaf server-side template injection vulnerability. This exploit allows remote code execution if user-controlled input directly reaches Thymeleaf's expression engine, bypassing its sandbox via a tab character. While a CVSS score of 9.1 is noted, exploitation hinges on a misuse pattern of dynamic view resolution or template string generation from user input. Defense involves patching Thymeleaf to 3.1.4 or later and code audits to ensure user input is correctly handled via the data model, not the expression engine.
2026-06-08 2026Bridging the Gap to Autonomous Fixes: Snyk and Atlassian Unveil Intelligent Remediation for JiraAIIntegration between Snyk and Atlassian offers intelligent, autonomous remediation for Jira security tickets. This solution leverages Snyk Studio's agentic skills, such as "snyk-fix" and "secure-at-inception," to autonomously generate and validate fixes within an Agentic Development Environment (ADE). By ingesting vulnerability data from Jira and utilizing Atlassian's TWG CLI or other CLIs, developers can reduce Mean Time to Resolution (MTTR), eliminate context switching, and improve fix accuracy, transforming security from a manual chore into an automated process.
2026-06-08 2026"A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm PackagesSecretsSupply ChainAnalysis of the "Mini Shai-Hulud" campaign targeting SAP's npm packages, including `@cap-js/db-service`, `@cap-js/sqlite`, `@cap-js/postgres`, and `mbt`. Attackers published malicious versions that utilized the Bun runtime to execute an obfuscated credential stealer, with observed self-propagation code and the ability to hijack CI pipelines. This campaign builds upon previous Shai-Hulud incidents, focusing on credential theft and persistence injection.
2026-06-08 2026lightning PyPI Compromise: A Bun-Based Credential Stealer in PythonSecretsSupply ChainLibrary compromised with malicious versions of `lightning` (2.6.2, 2.6.3) that download and execute a Bun-based credential stealer. This loader uses obfuscated JavaScript, similar to a prior npm campaign, and harvests tokens from GitHub, npm, and cloud metadata services. It also attempts repository poisoning via GitHub GraphQL mutations and self-propagation on npm. Snyk has published advisory SNYK-PYTHON-LIGHTNING-16323121 for this CWE-506 (Embedded Malicious Code) incident.
2026-06-08 2026TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain AttackSecretsSupply ChainAnalysis of CVE-2026-45321, detailing the Mini Shai-Hulud supply chain attack that compromised TanStack npm packages. The incident involved three chained vulnerabilities: a "Pwn Request" via `pull_request_target` exploiting TanStack's bundle-size workflow, GitHub Actions cache poisoning of the pnpm package store, and OIDC token extraction from runner memory to publish malicious packages with valid SLSA provenance. This attack, attributed to TeamPCP, marks the first documented instance of malicious npm packages achieving indistinguishable provenance.
2026-06-08 2026Malicious node-ipc versions published to npm in suspected maintainer account compromiseSupply ChainLibrary detailing the compromise of node-ipc npm package versions 9.1.6, 9.2.3, and 12.0.1, which contained an obfuscated credential-stealing payload. The attack likely involved abusing a legitimate npm maintainer account, potentially through expired domain takeover and account recovery, rather than a CI/CD pipeline breach. The payload targets over 90 credential categories, including cloud, SSH, and Kubernetes secrets, exfiltrating data to attacker-controlled infrastructure. Organizations are advised to identify and remove affected versions, rotate exposed secrets, and harden their package consumption practices.
2026-06-08 2026Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer AccountSupply ChainLibrary of malicious npm packages distributed via the Mini Shai-Hulud campaign targeted the AntV data visualization ecosystem, involving over 300 compromised package versions. The attack leveraged a compromised maintainer account to inject obfuscated Bun JavaScript payloads triggered by `preinstall` hooks. These payloads harvest developer secrets and cloud credentials from AWS, GCP, Azure, GitHub, and others, establish C2 persistence through various mechanisms including IDE hooks and OS daemons, and attempt self-propagation using stolen npm tokens. The campaign also utilized orphan commits and Sigstore to forge build provenance, deceiving security tools.
2026-06-08 2026The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package CompromisedSupply ChainLibrary compromise affecting Microsoft's `durabletask` Python package on PyPI, identified as SNYK-PYTHON-DURABLETASK-16761538, features a malicious payload including an infostealer targeting Linux systems, a worm for propagation, and a disk wiper. This incident is linked to the broader AntV Shai Hulud supply chain campaign, with threat actors expanding their targeting to include packages associated with major technology companies. Developers should verify their `durabletask` version and scan projects with Snyk.
2026-06-08 2026Securing The AI Revolution: How Snyk And Our Partners Are Scaling For The FutureAISupply ChainReference on Snyk's evolving go-to-market strategy, detailing its expansion beyond product-led growth to address the challenges of securing AI-generated code at scale. It highlights deep integrations with partners like Anthropic, Cursor, AWS, Atlassian, and OpenAI, and introduces a Partner Services Delivery Program and Partner Accelerator Fund designed to enable partners to build AI security practices and generate professional services revenue, emphasizing an ecosystem approach to application security in the AI era.
2026-06-08 2026Snyk announces Anthropic updates: Evo integrates with Claude Enterprise, and Snyk Desk comes to Claude DesktopAILibrary integrating Evo by Snyk with Anthropic's Claude Enterprise, providing security and compliance teams with an inventory of Claude environment models, MCP servers, risk signals, and tool-level permissions. Additionally, the Snyk Security Desktop Extension is now available for Claude Desktop on macOS and Windows, embedding real-time scanning and vulnerability context directly into developer workflows to catch issues at inception and ensure least privilege on AI agent tools.
2026-06-08 2026Laravel Lang Supply Chain AdvisorySupply ChainLibrary of compromised Laravel localization packages on Packagist, specifically those under the `laravel-lang` namespace. An attacker used a leaked GitHub PAT to republish over 700 historical versions with a malicious `helpers.php` file. This file, registered in `autoload.files`, executed on every PHP request, fetching a second-stage payload from `flipboxstudio.info` that steals cloud keys, Kubernetes and Vault secrets, CI/CD tokens, SSH material, environment files, browser data, password manager vaults, crypto wallets, and messaging tokens. Affected environments should be treated as compromised until proven otherwise.
2026-06-08 2026Continuous Offensive Security: The Line We've Been WalkingAIFuzzingLibrary for continuous offensive security testing, this resource details the evolution from traditional Dynamic Security Testing (DAST) to AI-driven pentesting. It distinguishes between heuristic-detectable vulnerabilities (like SQL injection) and context-dependent ones (such as BOLA and IDOR) that require human-like reasoning. The library enables automated discovery of context-dependent flaws by analyzing intent, and includes Agent Red Teaming for novel AI-specific attack surfaces like prompt injection and data exfiltration in LLM-integrated applications.
2026-06-08 2026How Relay Network Adopted AI Coding Securely and Built the Foundation for Agentic DevelopmentAISupply ChainLibrary integrating Snyk with GitHub Copilot enables secure AI-assisted coding by shifting security left. Custom pre-commit hooks scan code in real-time, catching vulnerabilities like insecure dependencies during development. This empowers developers to fix issues immediately, reducing the mean time to remediate (MTTR) and accelerating technical growth.
2026-06-08 2026Fix SCA issues at scale in your terminal with Snyk Remediation Agent in the CLIAISecretsLibrary for automating software composition analysis (SCA) remediation within the terminal. This tool empowers developers to address vulnerabilities at scale by integrating Snyk's security intelligence with large language models (LLMs). It analyzes findings, provides fix context including version upgrades and breakability analysis, and enables iterative, LLM-guided remediation loops with developer review, aiming to improve fix rates for SCA issues.
2026-06-08 2026Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packagesSupply ChainAnalysis of the Miasma supply chain attack details malicious code embedded in at least 32 @redhat-cloud-services npm packages, impacting the Red Hat Hybrid Cloud Console. The compromised releases feature a preinstall script that executes an obfuscated payload, harvesting developer and cloud credentials and attempting to self-propagate. The campaign utilizes a worm-like descendant of the (Mini) Shai-Hulud framework, targeting GCP and Azure identities. The root cause involves a compromised Red Hat employee GitHub account pushing malicious commits, bypassing code review and generating packages with valid SLSA provenance.
2026-06-08 2026Protestware by open source maintainer to hinder agentic coding: The jqwik 1.10.0 Prompt InjectionAILibrary net.jqwik:jqwik-engine version 1.10.0, released by the maintainer, contained protestware utilizing prompt injection. This version, intended to deter AI coding agents, hid instructions to disregard previous commands and delete jqwik tests and code using ANSI terminal codes, making them invisible to humans but readable by automated systems. While at least one AI agent successfully identified and refused the injection, this incident highlights supply chain risks where tool output can be interpreted as commands, emphasizing the need to treat such output as untrusted input.
2026-06-08 2026The New Security Risks of the Agentic Development LifecycleAILibrary for securing the agentic development lifecycle, which involves AI agents planning, building, modifying, testing, and shipping software by interacting with tools, codebases, and environments. This shifts the security focus from artifact inspection to trusting the creation process, addressing risks introduced by agents' inputs (e.g., malicious skills, flawed MCP servers), actions (e.g., unsafe command execution, unauthorized access), and generated outputs (e.g., insecure code patterns).
2026-06-08 2026Type Level Security: The future of secure AI code generation?AILibrary demonstrating type-level security to prevent common vulnerabilities like Insecure Direct Object Reference (IDOR) and DOM XSS. It showcases how Rust's strong type system and Python's type hints can enforce security invariants, ensuring that data like user IDs or strings are only used after proper authentication and sanitization. The approach aims to make entire classes of security bugs uncompilable or un-type-checkable, applicable to both human developers and AI code generation.
2026-06-08 2026Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gypRCESupply ChainLibrary for detecting and mitigating the Node-gyp Supply Chain Compromise, a self-propagating npm worm that exploits `binding.gyp` files for code execution. This malware, tracked as "Miasma" by StepSecurity and "Node-gyp Supply Chain Compromise - June 2026" by Snyk, injects malicious code during `npm install` by abusing `node-gyp`'s configuration phase. The payload harvests credentials from developer and CI/CD environments, including AWS, GCP, Azure, and GitHub Actions, then exfiltrates them via attacker-controlled GitHub repositories and maintains persistence through GitHub Actions workflows. It self-propagates by republishing affected packages, impacting 57 packages across hundreds of malicious versions.
2026-06-08 2026So You Have an AI Security Budget. Now what?AILibrary for AI security budgeting that shifts focus from fragmented tool spending to unified investment in visibility, governance, and control across the AI lifecycle. It emphasizes securing agentic development and agentic applications by funding AI discovery, risk assessment, policy enforcement, adversarial testing, runtime protection, and governance evidence, addressing vulnerabilities like CVE-2025-6514 and issues seen in incidents like Replit's data deletion.
2026-06-06 2026Node-gyp Supply Chain CompromiseSupply ChainLibrary for detecting and mitigating the Node-gyp Supply Chain Compromise, a self-propagating npm worm that abuses `binding.gyp` files for install-time code execution. This attack bypasses standard script-based security tooling by leveraging `node-gyp`'s configuration phase to run arbitrary commands, including a multi-stage Bun-based loader that harvests developer and CI/CD credentials from various cloud providers and password managers. The worm then exfiltrates these secrets and self-propagates by republishing compromised packages, as initially reported by StepSecurity with the "Phantom Gyp" technique and the "Miasma" campaign.
2026-06-05 2026Type Level Security for Secure AI Code GenerationPythonLibrary implementing type-level security to prevent vulnerabilities like Insecure Direct Object Reference (IDOR) and DOM XSS. It demonstrates code patterns in Python and Rust, showcasing how opaque types and access restrictions can enforce authentication and authorization checks at compile or lint time, ensuring secure data handling for both human developers and AI code generation.
2026-06-04 2026Miasma Attack Hits Red Hat npm PackagesSupply ChainLibrary of obfuscated JavaScript code embedded within @redhat-cloud-services npm packages, identified as the Miasma attack. This malicious code, running via preinstall scripts, acts as a self-propagating worm and credential stealer, targeting developer and cloud credentials, and exploiting compromised GitHub accounts to achieve valid SLSA provenance for its releases. The attack compromised at least 32 package releases, averaging 80,000 weekly downloads, and is tracked by Snyk advisories, with the lead advisory rated Critical (CVSS v4.0) and exploit maturity as Attacked.
2026-05-18 2026TanStack npm Packages Hit by Mini Shai-HuludGraphQLLibrary for securing npm supply chains, detailing the "Mini Shai-Hulud" attack that compromised TanStack packages. This incident, attributed to TeamPCP, exploited a chained vulnerability involving GitHub Actions' `pull_request_target` trigger for cache poisoning and OIDC token extraction via memory dumping, resulting in malicious packages with SLSA provenance. The attack utilized an injected `router_init.js` payload executed via lifecycle hooks, affecting numerous downstream projects including Mistral AI and UiPath, with CVE-2026-45321 being a critical vulnerability.
2026-05-12 2026TanStack npm Packages Hit by Mini Shai-HuludSupply ChainLibrary compromised by the Mini Shai-Hulud supply chain attack impacting @tanstack npm packages, leading to the publication of 84 malicious artifacts. This incident, attributed to TeamPCP, marks the first documented case of malicious npm packages possessing valid SLSA provenance, achieved by hijacking the legitimate release pipeline via a `pull_request_target` vulnerability, cache poisoning, and OIDC token extraction. Affected packages include `@tanstack/react-router`, with remediation involving treating affected install environments as compromised and rotating secrets.
2026-04-17 2026What is a Software Bill of Materials (SBOM)? (Snyk)Supply ChainLibrary for generating and managing Software Bills of Materials (SBOMs), providing formal records of software components and their supply chain relationships. SBOMs enhance transparency, aid in vulnerability management, and support regulatory compliance, especially for software sold to the federal government as mandated by Executive Order 14028. Standards like SPDX, SWID, and OWASP CycloneDX are supported, enabling detailed analysis of dependencies, licenses, and potential exploits, complementing efforts like SLSA for supply chain integrity.
2026-04-11 2026Golang JWT access restriction bypass vulnerabilityJWTLibrary for Go JWT access restriction bypass vulnerability affecting the `VerifyAudience` function. Discovered issues with double-quoted empty strings bypassing audience verification, leading to CVE-2020-28361. While a fix was available in v4.0.0-preview1, many projects used the master branch, leaving them vulnerable. Snyk's research team identified this and other proprietary Go vulnerabilities, enriching their Intel Vulnerability Database to provide broader security coverage.
2026-04-11 2026Top 3 security best practices for handling JWTsJWTLibrary for securely handling JWTs, focusing on three core best practices: keeping tokens secret via HTTPS and secure storage (HttpOnly, Secure flags), validating tokens by checking signatures and claims (exp, nbf, iss, aud), and setting expiration times. It highlights how tools like Snyk can identify vulnerabilities related to these practices, mentioning Python libraries such as Flask-JWT-Extended and PyJWT.
2026-04-11 2026Detecting JWT Security IssuesJWTLibrary for detecting JWT security issues in Node.js applications. It identifies vulnerabilities arising from the insecure use of the `jsonwebtoken` npm package, specifically the misuse of `jwt.decode()` which bypasses signature verification and can lead to broken authentication. The library also flags hardcoded sensitive data, insufficient logging, and lack of rate limiting, providing recommendations for secure JWT handling.
2026-04-11 2026Why 28 Million Credentials Leaked on GitHub in 2025 | SnykAPI SecSecretsLibrary for detecting and preventing leaked secrets, including API keys, database passwords, cloud IAM credentials, and AI service keys. It addresses accidental commits to Git, insecure .env file practices, supply chain attacks via malicious packages like Shai-Hulud and compromised versions of TruffleHog, and leaks through non-code surfaces such as Slack, Jira, and Docker Hub. The library also highlights the growing risk from AI-assisted development and MCP server credentials, differentiating its secret scanning capabilities from SAST tools by emphasizing the analysis of full Git history, including deleted files.
2026-04-10 2026How a Poisoned Security Scanner Backdoored LiteLLMPythonLibrary that suffered a supply chain attack via Trivy and Checkmarx KICS, resulting in malicious versions (1.82.7 and 1.82.8) of the litellm Python package being published to PyPI. The attack involved credential harvesting through a compromised GitHub Action and the use of .pth files for persistence, enabling data exfiltration and lateral movement within Kubernetes environments.
2025-08-14 2025Go Security cheatsheet | Snyk BlogCheatsheet detailing eight Go security best practices for developers, emphasizing the use of Go Modules for dependency management and scanning dependencies for CVEs with tools like Snyk. It covers employing Go's standard crypto packages, utilizing `html/template` to prevent XSS attacks, exercising caution with subshelling, `unsafe`, and `cgo`, using reflection sparingly, and minimizing container attack surfaces.
2023-04-03 2023Top 5 scapy Code ExamplesPythonTop 5 scapy Code Examples https://ift.tt/PJT08ay
2022-02-21 2022Go Security cheatsheet | Snyk BlogCheatsheet detailing eight Go security best practices for Go developers. It covers using Go Modules for dependency management and scanning dependencies for CVEs with tools like Snyk. The resource recommends using Go's standard crypto packages and `html/template` to prevent XSS attacks. It also advises caution with subshelling, the `unsafe` package, and `cgo`, while recommending sparing use of reflection. Finally, it touches on minimizing container attack surfaces.