Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Snyk

The New Security Control Point: Governing AI Agents Inside the Execution Loop

Jun 23, 2026 By Agnieszka Koc In Snyk
As organizations adopt AI agents to build software, security teams face a new challenge: risk is no longer introduced only through the code that gets produced. It emerges continuously through the tools agents use, the actions they take, and the code they generate. This is the problem Evo Agentic Development Security (ADS) was designed to solve. ADS secures all three layers of the agentic development system—what agents use, what they do, and what they generate.
Read Post
Snyk

Announcing Agentic Development Security (ADS)

Jun 23, 2026 By Daniel Berman In Snyk
Today, we're announcing Agentic Development Security (ADS), a new Evo solution designed for securing AI-driven software development. AI agents are now active participants in the software development process, selecting tools, executing actions across systems, and generating production-ready code at machine speed.
Read Post
Snyk

What nearly 10,000 developer environments reveal about agentic development risk

Jun 23, 2026 By Ricardo Miguel Silva In Snyk
For years, application security teams have focused on a familiar set of questions: Is the code secure? Are the dependencies vulnerable? Is the build pipeline protected? Are issues being caught before they reach production? Agentic development adds a new question: What systems, tools, instructions, and permissions helped produce this code? AI coding agents are no longer just suggesting snippets or completing lines of code.
Read Post

How to Setup AI Rules, Skills, Hooks and MCPs

Jun 22, 2026 By Snyk In Snyk
In this video, we break down how to properly set up and use AI extension points - specifically MCP (Model Context Protocol) servers, Rules, Skills, and Hooks - to supercharge your development workflow. Using practical, security-flavored examples with Claude Code and Snyk, you'll learn how to configure a local project environment that automatically catches vulnerabilities before they ever hit your codebase. Whether you use the Claude CLI, VS Code extensions, or alternate AI ecosystems like Cursor or Gemini, you can use these exact steps as a blueprint to automate any workflow in your project.
View Video
Snyk

A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope

Jun 16, 2026 By Liran Tal In Snyk
An attacker republished the entire @mastra npm scope on June 17, 2026, slipping a single malicious dependency into 143 packages and counting, including @mastra/core, which pulls roughly 4 million downloads a month and has hundreds of dependent projects. The injected dependency, easy-day-js, is a dayjs lookalike whose install hook disables TLS verification, downloads a second-stage payload from a raw IP address, and runs a cross-platform cryptocurrency stealer in the background.
Read Post
Snyk

The Government Just Banned an AI Model. An Engineer's Perspective.

Jun 15, 2026 By Randall Degges In Snyk
I've spent the better part of three years wiring AI into how my teams build and ship software. So when the news broke this week that the US government had effectively switched off an AI model, I was legitimately shocked. Not for one country. Not for one company. For everyone on the planet, all at once. Three days. That's how long Anthropic's Fable 5 and Mythos 5 models were available before the government ordered them shut off for everyone.
Read Post

Top 7 Claude Skills for Developers

Jun 15, 2026 By Snyk In Snyk
Over 78% of developers are using Claude for coding, but almost everyone is leaving its single most powerful feature switched off: Claude Skills. In this video, we break down what Claude Skills are, how they use "progressive disclosure" to keep your context window light, and the 7 best engineering skills you can install this week to completely supercharge your workflow.
View Video
Snyk

When a Government Pulls an AI Model: What the Fable 5 and Mythos 5 Suspension Means for Security Teams

Jun 14, 2026 By Stephen Thoemmes In Snyk
On the evening of June 12, 2026, Anthropic disabled access to two of its newest models, Claude Fable 5 and Claude Mythos 5, for every customer worldwide. The company did not do this because of an outage or a self-discovered flaw. It did it to comply with a US government export-control directive, received at 5:21 PM ET that day, citing national security authorities.
Read Post

Claude Opus 4.8: Can It Finally Write Secure Code?

Jun 8, 2026 By Snyk In Snyk
We put Anthropic’s new Claude Opus 4.8 to the test using our standard benchmark: building a secure, production-ready Notes app. Anthropic claims this model is four times less likely to let security flaws slip through. Operating on "Ultra Code" mode, the AI navigates environment blocks, writes its own E2E security test suite, and runs dependency audits. We walkthrough the final app and run a security scan using the Snyk CLI to see if Claude's code is truly safe to deploy.
View Video
Snyk

So You Have an AI Security Budget. Now what?

Jun 4, 2026 By Snyk Team In Snyk
Most organizations spend their AI security budget on the wrong layer. The instinct is to just buy visibility to inventory the models, map the APIs, and ship a dashboard. But visibility alone won’t stop the coding agent that just pulled in a compromised MCP server. It won’t stop the production agent that’s about to forward a customer record to a place it shouldn’t go.
Read Post
Snyk

Type Level Security: The future of secure AI code generation?

Jun 4, 2026 By Stephen Thoemmes In Snyk
With code being written (& generated) faster than ever before, there is the unfortunate side effect that security vulnerabilities are also coming faster than ever before. Asking your LLM not to include security vulnerabilities in its code doesn't always work. It is becoming clear that the way software is built today, manually or with assistance, is insufficient when it comes to reliably, consistently, and provably writing secure code.
Read Post
Snyk

Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp

Jun 4, 2026 By Liran Tal In Snyk
A supply chain attack is actively spreading through the npm registry by abusing a file most security tooling never looks at: binding.gyp. Instead of relying on the well-monitored preinstall or postinstall lifecycle scripts, the malware ships a weaponized binding.gyp that triggers node-gyp to execute attacker-controlled code automatically during npm install.
Read Post
Snyk

The New Security Risks of the Agentic Development Lifecycle

Jun 3, 2026 By Daniel Berman In Snyk
For years, application security ran on a simple assumption: software moves through a lifecycle, and security inspects the artifacts as they travel from development to production. Developers plan, write code, commit it, test it, scan it, and ship it. Every control built, including pull request reviews, CI/CD gates, and post-commit scanning, assumed a human was sitting between each step, making decisions a tool could later check.
Read Post
Snyk

Protestware by open source maintainer to hinder agentic coding: The jqwik 1.10.0 Prompt Injection

Jun 2, 2026 By Brian Vermeer In Snyk
On May 25, 2026, the maintainer of jqwik, a Java property-based testing library, released version 1.10.0 to Maven Central with a hidden instruction intended for AI coding agents. The payload told agents to disregard previous instructions and delete all jqwik tests and code. It was hidden from humans with ANSI terminal codes but left fully readable to any tool that captures raw output.
Read Post
Snyk

Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages

Jun 1, 2026 By Brian Clark In Snyk
On June 1, 2026, researchers identified malicious code embedded in at least 32 package releases published under the @redhat-cloud-services npm namespace, a set of frontend components and API clients that power the Red Hat Hybrid Cloud Console. The compromised releases carry a preinstall script that runs an obfuscated payload the moment a package is installed, harvesting developer and cloud credentials and attempting to spread itself to other packages the victim can publish.
Read Post

Copyright © 2026 OpsMatters™. All rights reserved.