Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On January 7, 2026, Trend Micro released a critical patch for Apex Central on-premises versions below Build 7190, addressing multiple vulnerabilities. The most severe of the vulnerabilities disclosed is CVE-2025-69258, a critical severity vulnerability, which allows unauthenticated threat actors to load malicious DLLs and execute arbitrary code as SYSTEM without user interaction. The advisory also includes two medium-severity denial-of-service vulnerabilities, CVE-2025-69259 and CVE-2025-69260.

In January 2026, a critical security vulnerability was disclosed in jsPDF, a popular JavaScript library used to generate PDF documents. The issue, tracked as CVE-2025-68428, affects server-side Node.js deployments of jsPDF prior to version 4.0.0 and has been assigned a CVSS score of 9.2. The vulnerability is a path traversal issue that can be abused to read arbitrary files from the local filesystem.

In 2026, organizations are already managing attack surfaces that are larger, more fragmented, and more volatile than in previous years. As the year progresses, attack surfaces will continue to expand in scope and complexity, making them harder to secure consistently.

On January 7, 2026, fixes were released for a maximum severity vulnerability (CVE-2026-21858) impacting n8n, a workflow automation application primarily used with artificial intelligence. Labeled “Ni8mare” by the researchers who discovered it, the vulnerability allows unauthenticated remote threat actors to take over locally deployed instances via publicly accessible webhook and form endpoints.

The Shai-Hulud npm supply chain incident was a wake-up call for the industry. The attack involved malicious packages containing hidden exfiltration scripts that targeted developers’ machines and CI environments. At Snyk, we watched this incident unfold in real-time, observing how quickly attackers can pivot from one compromised credential to a full-scale ecosystem infection.

Most teams learn the OWASP Top 10 as a list of application security failures. Injection flaws. Broken access control. Security misconfiguration. Items to scan for, remediate, and close before the next audit or penetration test. But data exposure rarely arrives neatly packaged as a single OWASP finding. When sensitive data leaks, it is almost never because one category failed in isolation.

AI coding assistants have fundamentally changed development velocity. With tools like Augment Code, developers can now build and iterate at a pace that was unimaginable just a few years ago. However, this explosion in speed has created a new challenge: security teams, often still relying on manual review processes, are becoming the bottleneck.

In the world of Software Composition Analysis (SCA), we often treat the tuple of (package_name, version) as a unique identifier. For example, given an NPM package angular version 1.8.0 - we would know precisely which source code was used, and what vulnerabilities affect that version.It is a common misconception that a package version maps directly to a fixed set of source code and, by extension, a static vulnerability profile.

CVE-2025-34299 is a critical vulnerability in Monsta FTP, a web-based file transfer tool, unauthenticated arbitrary file write via remote download leading to remote code execution (RCE). Affecting versions 2.11 and earlier, it enables attackers to upload malicious files via a crafted SFTP or FTP connection, compromising servers without credentials. This flaw has seen active exploitation through opportunistic scans. By January 2026, Vulnerable instances remain exposed.