Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On December 3, 2025, coordinated disclosures revealed that multiple releases of React 19 and Next.js contain a critical flaw in the React Server Components (RSC) “Flight” protocol, allowing unauthenticated remote code execution (RCE). The vulnerability originates from unsafe deserialization of attacker-controlled data in server-side RSC payload handling.

Artificial Intelligence (AI) is transforming software development with agentic coding tools like GitHub Copilot and Cursor, leading the charge. These tools use AI to assist developers in writing code, automate repetitive tasks, and expedite the development process.

Snyk empowers organizations to build fast and stay secure. As security and engineering teams scale their use of Snyk across the enterprise, understanding what's happening across your group and organizations becomes critical–from API integrations and user access patterns to policy changes and security events. However, raw audit logs alone can be overwhelming and difficult to interpret. Security leaders need instant visibility into critical events, risk patterns, and user activity.

On November 24th, 2025, we identified a new supply chain attack in the npm ecosystem, referred to as SHA1-Hulud. We believe this is a second wave of the Shai-Hulud attack, which occurred in September 2025. Snyk will continue monitoring this active incident until it is resolved. Updates on this incident will be on our trust center.