London, UK
2015
  |  By Liran Tal
We ran 300 vulnerability-finding scans to measure how repeatable an agentic LLM security review is on the same code, prompt, and harness. The headline result is not that one scanner "wins" a self-referential leaderboard. It is that LLM security findings are unevenly repeatable: reference-matched findings were stable, but extra-model reports varied widely from run to run.
  |  By Michelle Ginzburg
For over twenty years, the global security community has operated under a single, comfortable assumption: that a centralized public source could help track, analyze, and enrich the world’s software vulnerabilities at the pace the industry needed. When the National Vulnerability Database (NVD) was established, the open source vulnerability lifecycle moved at a radically different pace.
  |  By Agnieszka Koc
As organizations adopt AI agents to build software, security teams face a new challenge: risk is no longer introduced only through the code that gets produced. It emerges continuously through the tools agents use, the actions they take, and the code they generate. This is the problem Evo Agentic Development Security (ADS) was designed to solve. ADS secures all three layers of the agentic development system—what agents use, what they do, and what they generate.
  |  By Daniel Berman
Today, we're announcing Agentic Development Security (ADS), a new Evo solution designed for securing AI-driven software development. AI agents are now active participants in the software development process, selecting tools, executing actions across systems, and generating production-ready code at machine speed.
  |  By Ricardo Miguel Silva
For years, application security teams have focused on a familiar set of questions: Is the code secure? Are the dependencies vulnerable? Is the build pipeline protected? Are issues being caught before they reach production? Agentic development adds a new question: What systems, tools, instructions, and permissions helped produce this code? AI coding agents are no longer just suggesting snippets or completing lines of code.
  |  By Brendan Hann
Finding issues is easier than ever. Triaging and fixing them is what's scarce. Through Snyk's Secure Developer Program, open source maintainers get the signal to cut through the noise and the platform to fix what matters, free for their open source projects.
  |  By Liran Tal
An attacker republished the entire @mastra npm scope on June 17, 2026, slipping a single malicious dependency into 143 packages and counting, including @mastra/core, which pulls roughly 4 million downloads a month and has hundreds of dependent projects. The injected dependency, easy-day-js, is a dayjs lookalike whose install hook disables TLS verification, downloads a second-stage payload from a raw IP address, and runs a cross-platform cryptocurrency stealer in the background.
  |  By Randall Degges
I've spent the better part of three years wiring AI into how my teams build and ship software. So when the news broke this week that the US government had effectively switched off an AI model, I was legitimately shocked. Not for one country. Not for one company. For everyone on the planet, all at once. Three days. That's how long Anthropic's Fable 5 and Mythos 5 models were available before the government ordered them shut off for everyone.
  |  By Stephen Thoemmes
On the evening of June 12, 2026, Anthropic disabled access to two of its newest models, Claude Fable 5 and Claude Mythos 5, for every customer worldwide. The company did not do this because of an outage or a self-discovered flaw. It did it to comply with a US government export-control directive, received at 5:21 PM ET that day, citing national security authorities.
  |  By Snyk Team
Most organizations spend their AI security budget on the wrong layer. The instinct is to just buy visibility to inventory the models, map the APIs, and ship a dashboard. But visibility alone won’t stop the coding agent that just pulled in a compromised MCP server. It won’t stop the production agent that’s about to forward a customer record to a place it shouldn’t go.
  |  By Snyk
GLM 5.2 just launched from Z.ai, and it might be one of the biggest threats yet to the frontier model premium. It’s open, significantly cheaper than Claude Opus 4.8, and claims to deliver near-frontier coding performance across major benchmarks. But benchmarks only matter if the model can actually build something production-ready.
  |  By Snyk
In this video, we break down how to properly set up and use AI extension points - specifically MCP (Model Context Protocol) servers, Rules, Skills, and Hooks - to supercharge your development workflow. Using practical, security-flavored examples with Claude Code and Snyk, you'll learn how to configure a local project environment that automatically catches vulnerabilities before they ever hit your codebase. Whether you use the Claude CLI, VS Code extensions, or alternate AI ecosystems like Cursor or Gemini, you can use these exact steps as a blueprint to automate any workflow in your project.
  |  By Snyk
Over 78% of developers are using Claude for coding, but almost everyone is leaving its single most powerful feature switched off: Claude Skills. In this video, we break down what Claude Skills are, how they use "progressive disclosure" to keep your context window light, and the 7 best engineering skills you can install this week to completely supercharge your workflow.
  |  By Snyk
We put Anthropic’s new Claude Opus 4.8 to the test using our standard benchmark: building a secure, production-ready Notes app. Anthropic claims this model is four times less likely to let security flaws slip through. Operating on "Ultra Code" mode, the AI navigates environment blocks, writes its own E2E security test suite, and runs dependency audits. We walkthrough the final app and run a security scan using the Snyk CLI to see if Claude's code is truly safe to deploy.
  |  By Snyk
235,000 installs per week. That’s how quickly developers are downloading AI agent skills — packages that give AI coding agents new capabilities like shell access, file system operations, cloud access, and deployment permissions. But unlike traditional npm packages, agent skills introduce a completely new security problem: natural language instructions that AI agents can interpret and execute autonomously.
  |  By Snyk
On May 11, 2026, the TanStack namespace was hit by a "Mini Shai-Hulud" supply chain attack. Unlike typical attacks, this did not involve stolen credentials; instead, the threat group TeamPCP hijacked the legitimate GitHub Actions release pipeline. This video covers the technical details of the OIDC token extraction, the "Dead Man's Switch" that triggers a rm -rf / upon credential revocation, and the mandatory remediation order you must follow to save your data. We also discuss how to harden your workflow using release-age cooldowns and OIDC pinning.
  |  By Snyk
Are you confused by the terminology surrounding AI coding tools? You aren't alone. In this video, we break down the four essential components that transform a basic LLM into a powerful coding agent: Rules, Skills, Hooks, and the Model Context Protocol (MCP).
  |  By Snyk
GPT-5.5 vs Claude Opus 4.7 - two flagship AI models dropped one week apart, and both claim to be the best at agentic coding. We put that to the test by giving each model the exact same prompt: build a production-ready, secure note-taking application from scratch. But we didn't stop at reviewing the code. We actually tried to break it by running real security tests against each app to see whether AI-generated code can be trusted with user data. The results were not what we expected.
  |  By Snyk
Cursor just dropped Composer 2.0, claiming it rivals (and even beats) the industry’s leading frontier models like GPT-5.4 and Claude Opus 4.6. But do the benchmarks match reality?
  |  By Snyk
In this video, we explore the growing security risk of prompt injection in large language model (LLM) applications. As AI becomes embedded in more products, new vulnerabilities emerge, especially through natural language manipulation. We break down how LLMs work, the importance of system prompts, and demonstrate five real-world prompt injection techniques used to extract sensitive information or bypass safeguards. You’ll see live examples using different models and learn why newer models are more resilient, but still not immune.
  |  By Snyk
This book will help both development and application security architects and practitioners address the risk of vulnerable open source libraries and discuss why such vulnerable dependencies are the most likely to be exploited by attackers.
  |  By Snyk
Forrester conducted a customer study to get insights into why organizations choose Snyk to help them tackle and implement developer-first security. Read the report to dive into the benefits, cost and value ROI for Snyk.
  |  By Snyk
This book reviews how the serverless paradigm affects the security of an application, and dives into the benefits it brings.
  |  By Snyk
Snyk's annual State of Open Source Security Report 2020 is here. Download it now to learn how Open Source security is evolving.
  |  By Snyk
"Shift left" has become the holy grail for security teams today but organizations are still struggling to successfully implement some of the key processes that shifting security left entails. A new study sponsored by Snyk and conducted by Enterprise Strategy Group (ESG) has found that while developers are indeed being given more responsibility for testing their applications for security issues, they simply don't have the knowledge or right set of tools to do so.
  |  By Snyk
81% of security and development professionals believe developers are responsible for open source security - but many organizations are still unsure how to start building a culture and practice of DevSecOps. Puppet & Snyk's study is digging deeper into the trends of DevSecOps adoption.
  |  By Snyk
The 2020 Gartner Market Guide for SCA is here! Recent Gartner survey finds that over 90% of organizations leverage OSS in application development - and as a result, security of open source packages was the highest ranked concern for respondents. These concerns have led to a growing market, addressed by various vendors for SCA tools that mitigate the risk of OSS. New trends emerge with devops on the rise - as the market shifts towards developer-friendly SCA tools.

Snyk is an open source security platform designed to help software-driven businesses enhance developer security. Snyk's dependency scanner makes it the only solution that seamlessly and proactively finds, prioritizes and fixes vulnerabilities and license violations in open source dependencies and container images.

Security Across the Cloud Native Application Stack:

  • Open Source Security: Automatically find, prioritize and fix vulnerabilities in your open source dependencies throughout your development process.
  • Code Security: Find and fix vulnerabilities in your application code in real-time during the development process.
  • Container Security Find and automatically fix vulnerabilities in your containers at every point in the container lifecycle.
  • Infrastructure as Code Security Find and fix Kubernetes and Terraform infrastructure as code issues while in development.

Develop Fast. Stay Secure.