|
By Brian Vermeer
On May 25, 2026, the maintainer of jqwik, a Java property-based testing library, released version 1.10.0 to Maven Central with a hidden instruction intended for AI coding agents. The payload told agents to disregard previous instructions and delete all jqwik tests and code. It was hidden from humans with ANSI terminal codes but left fully readable to any tool that captures raw output.
|
By Brian Clark
On June 1, 2026, researchers identified malicious code embedded in at least 32 package releases published under the @redhat-cloud-services npm namespace, a set of frontend components and API clients that power the Red Hat Hybrid Cloud Console. The compromised releases carry a preinstall script that runs an obfuscated payload the moment a package is installed, harvesting developer and cloud credentials and attempting to spread itself to other packages the victim can publish.
|
By Ryan McMorrow
Snyk is now detecting six vulnerabilities for every one remediated. NIST reported a 33% increase in CVE submissions in Q1 2026. According to Gartner, the average time to patch a high/critical vulnerability is 55 days (Gartner, "How to Respond to the 2026-2027 Threat Landscape," 28 May 2026).
|
By Snyk Team
Champion / Spokesperson(s): Brendan Putek, Director of DevOps, and Esaie Batoula, Security Engineer. Relay Network is the innovator behind a secure B2C communications platform that combines SMS with dynamic feed technology to help regulated enterprises deliver personalized, action-oriented mobile experiences for every customer. In an industry where trust, compliance, and data protection are paramount, security has always been central to how the company builds software.
|
By Nuno Loureiro
AI Pentesting is having a moment. Well, several moments, actually. Every other week, another vendor announces something, or another LLM-driven pentesting tool tops some benchmark on a target nobody's heard of, another deck claims a new "gold standard" being disrupted, at long last... It's been busy.
|
By Brian Clark
On May 22 and May 23, 2026, an attacker republished hundreds of malicious versions under historical release tags for four community-maintained Laravel localization libraries that are published on Packagist under the laravel-lang namespace.
|
By Ranko Cupovic
Today, we're announcing two new integrations with Anthropic that cover both sides of AI-assisted development. Evo by Snyk now integrates with Anthropic's Claude Enterprise, giving security and compliance teams a complete inventory of their Claude environment models, approved MCP servers, per model risk signals, and tool-level permissions in the platform they already use to govern the rest of the stack.
|
By Tom Nielsen
Snyk started as a classic product-led growth company. For our first two years, we didn't need a sales team — the product sold itself to developers. That's a rare thing, and we're proud of it. It meant we had genuine product-market fit before we had a go-to-market motion. But markets evolve, and so did we. Today, AI coding agents are generating code at a velocity that significantly outpaces the ability of security teams to review it.
|
By Liran Tal
The ink was barely dry on our coverage of the AntV Shai Hulud supply chain attack when a new compromise surfaced in the Python ecosystem. The target this time is durabletask, an open source Python package associated with Microsoft, used for building durable, fault-tolerant workflow orchestration on top of the Durable Task Framework. The latest safe version of durabletask is 1.4.0, and three known versions have been yanked from the PyPI registry.
|
By Liran Tal
A supply chain attack affecting the @antv data visualization ecosystem and related npm packages is actively spreading through the npm registry. The attack, attributed to a threat group called TeamPCP and branded as another wave of the Mini Shai-Hulud campaign, published more than 300 malicious package versions across 323 packages in a 22-minute automated burst on May 19, 2026. The packages collectively represent approximately 16 million weekly downloads.
|
By Snyk
235,000 installs per week. That’s how quickly developers are downloading AI agent skills — packages that give AI coding agents new capabilities like shell access, file system operations, cloud access, and deployment permissions. But unlike traditional npm packages, agent skills introduce a completely new security problem: natural language instructions that AI agents can interpret and execute autonomously.
|
By Snyk
On May 11, 2026, the TanStack namespace was hit by a "Mini Shai-Hulud" supply chain attack. Unlike typical attacks, this did not involve stolen credentials; instead, the threat group TeamPCP hijacked the legitimate GitHub Actions release pipeline. This video covers the technical details of the OIDC token extraction, the "Dead Man's Switch" that triggers a rm -rf / upon credential revocation, and the mandatory remediation order you must follow to save your data. We also discuss how to harden your workflow using release-age cooldowns and OIDC pinning.
|
By Snyk
Are you confused by the terminology surrounding AI coding tools? You aren't alone. In this video, we break down the four essential components that transform a basic LLM into a powerful coding agent: Rules, Skills, Hooks, and the Model Context Protocol (MCP).
|
By Snyk
GPT-5.5 vs Claude Opus 4.7 - two flagship AI models dropped one week apart, and both claim to be the best at agentic coding. We put that to the test by giving each model the exact same prompt: build a production-ready, secure note-taking application from scratch. But we didn't stop at reviewing the code. We actually tried to break it by running real security tests against each app to see whether AI-generated code can be trusted with user data. The results were not what we expected.
|
By Snyk
Cursor just dropped Composer 2.0, claiming it rivals (and even beats) the industry’s leading frontier models like GPT-5.4 and Claude Opus 4.6. But do the benchmarks match reality?
|
By Snyk
In this video, we explore the growing security risk of prompt injection in large language model (LLM) applications. As AI becomes embedded in more products, new vulnerabilities emerge, especially through natural language manipulation. We break down how LLMs work, the importance of system prompts, and demonstrate five real-world prompt injection techniques used to extract sensitive information or bypass safeguards. You’ll see live examples using different models and learn why newer models are more resilient, but still not immune.
|
By Snyk
We pit GitHub Spark (in public preview) against Replit's AI agent. The challenge? Build a fully functional community forum for DIY tips from a single prompt. We compare design aesthetics, mobile responsiveness, login security, and deployment speed to see which tool creates a truly production-ready application. Which one do you think deserved the win? Let me know in the comments!
|
By Snyk
In the second match of our Vibe Coding Challenge series, we put two powerhouse AI platforms to the ultimate test: Vercel’s v0 and Base 44. We gave both platforms the exact same prompt: build a DIY Home Repair community forum.
|
By Snyk
Which AI tool is better for building a real app without writing code, Bolt or Lovable? In this video, I put both AI app builders head-to-head using the exact same prompt to create a DIY home repair forum. From database setup to authentication, UI design, publishing, and security checks, we compare how each platform performs in real time. The goal isn’t just to generate something that looks like an app, it’s to see whether these tools can actually create something usable, functional, and potentially production-ready. We evaluate.
|
By Snyk
Join Vandana and Rob in this insightful webinar exploring the rapidly evolving landscape of AI security. As we shift from simple query-response models to complex autonomous agents that can plan, execute code, and access sensitive APIs, the traditional security "locks" are no longer sufficient. This session dives deep into the OWASP AI Exchange, a community-driven initiative providing practical guidance and technical controls for securing AI systems.
|
By Snyk
This book will help both development and application security architects and practitioners address the risk of vulnerable open source libraries and discuss why such vulnerable dependencies are the most likely to be exploited by attackers.
|
By Snyk
Forrester conducted a customer study to get insights into why organizations choose Snyk to help them tackle and implement developer-first security. Read the report to dive into the benefits, cost and value ROI for Snyk.
|
By Snyk
This book reviews how the serverless paradigm affects the security of an application, and dives into the benefits it brings.
|
By Snyk
Snyk's annual State of Open Source Security Report 2020 is here. Download it now to learn how Open Source security is evolving.
|
By Snyk
81% of security and development professionals believe developers are responsible for open source security - but many organizations are still unsure how to start building a culture and practice of DevSecOps. Puppet & Snyk's study is digging deeper into the trends of DevSecOps adoption.
|
By Snyk
"Shift left" has become the holy grail for security teams today but organizations are still struggling to successfully implement some of the key processes that shifting security left entails. A new study sponsored by Snyk and conducted by Enterprise Strategy Group (ESG) has found that while developers are indeed being given more responsibility for testing their applications for security issues, they simply don't have the knowledge or right set of tools to do so.
|
By Snyk
The 2020 Gartner Market Guide for SCA is here! Recent Gartner survey finds that over 90% of organizations leverage OSS in application development - and as a result, security of open source packages was the highest ranked concern for respondents. These concerns have led to a growing market, addressed by various vendors for SCA tools that mitigate the risk of OSS. New trends emerge with devops on the rise - as the market shifts towards developer-friendly SCA tools.
- June 2026 (2)
- May 2026 (15)
- April 2026 (13)
- March 2026 (13)
- February 2026 (25)
- January 2026 (14)
- December 2025 (15)
- November 2025 (16)
- October 2025 (20)
- September 2025 (19)
- August 2025 (35)
- July 2025 (20)
- June 2025 (30)
- May 2025 (16)
- April 2025 (24)
- March 2025 (34)
- February 2025 (28)
- January 2025 (25)
- December 2024 (32)
- November 2024 (19)
- October 2024 (37)
- September 2024 (32)
- August 2024 (34)
- July 2024 (32)
- June 2024 (34)
- May 2024 (35)
- April 2024 (29)
- March 2024 (11)
- February 2024 (13)
- January 2024 (21)
- December 2023 (20)
- November 2023 (31)
- October 2023 (29)
- September 2023 (13)
- August 2023 (25)
- July 2023 (17)
- June 2023 (31)
- May 2023 (23)
- April 2023 (20)
- March 2023 (24)
- February 2023 (21)
- January 2023 (18)
- December 2022 (22)
- November 2022 (33)
- October 2022 (40)
- September 2022 (36)
- August 2022 (36)
- July 2022 (18)
- June 2022 (22)
- May 2022 (25)
- April 2022 (31)
- March 2022 (43)
- February 2022 (30)
- January 2022 (28)
- December 2021 (44)
- November 2021 (27)
- October 2021 (26)
- September 2021 (27)
- August 2021 (20)
- July 2021 (19)
- June 2021 (23)
- May 2021 (29)
- April 2021 (22)
- March 2021 (33)
- February 2021 (12)
- January 2021 (13)
- December 2020 (2)
Snyk is an open source security platform designed to help software-driven businesses enhance developer security. Snyk's dependency scanner makes it the only solution that seamlessly and proactively finds, prioritizes and fixes vulnerabilities and license violations in open source dependencies and container images.
Security Across the Cloud Native Application Stack:
- Open Source Security: Automatically find, prioritize and fix vulnerabilities in your open source dependencies throughout your development process.
- Code Security: Find and fix vulnerabilities in your application code in real-time during the development process.
- Container Security Find and automatically fix vulnerabilities in your containers at every point in the container lifecycle.
- Infrastructure as Code Security Find and fix Kubernetes and Terraform infrastructure as code issues while in development.
Develop Fast. Stay Secure.