Snyk

Both amazing. Just different vibes.

We've got some exciting engineering roles open in the UK 🇬🇧 Join the ride, check our open roles here: https://lnkd.in/eicMYA8e

🚨 Yesterday npm. Today PyPI. Tomorrow? Your AI coding workspace. This morning, malicious versions of the PyTorch Lightning package (2.6.2 and 2.6.3) were published to PyPI. Nearly 8 million monthly downloads. A hidden _runtime directory ships Bun + an ~11 MB obfuscated JavaScript credential stealer that fires the instant you run import lightning. PyPI has already quarantined the project. The payload itself isn’t new — it’s the latest evolution of the Mini Shai-Hulud campaign. Same exact cipher (__decodeScrambled, PBKDF2/SHA-256 with 200,000 iterations, salt ctf-scramble-v2) as yesterday’s SAP cap-js compromise, last week’s Bitwarden CLI hit, and the Checkmarx KICS incident before that. One toolkit, four registries, eight days.0 But here’s the part that should make every AI-native developer and AppSec leader sit up straight: The attackers aren’t just stealing credentials — they’re weaponizing AI coding agent configuration files for persistence. The malware automatically injects: - .claude/settings.json with a SessionStart hook that fires every time you open Claude Code in the repo - .vscode/tasks.json with runOn: folderOpen that executes the moment VS Code touches the folder - A malicious format-check.yml GitHub Actions workflow that quietly exfiltrates ${{ toJSON(secrets) }} to a downloadable artifact Commits are even signed as claude to look like legitimate Anthropic Claude Code activity. AI agent configs (.claude/, .cursor/, .vscode/) are now first-class supply-chain attack surface. They were built for productivity and seamless developer experience. Attackers turned that trust into silent, automatic execution — no extra clicks required. Workspace Trust doesn’t save you once the repo is already poisoned. 
Full technical write-up: https://lnkd.in/eUbmdQzi Snyk Advisory: https://lnkd.in/eYvQRfSd This isn’t just another dependency attack. It’s a signal that the tools we’re adopting to ship faster — AI coding agents, auto-configured IDEs, seamless hooks — are becoming the new high-value targets. The era of “set it and forget it” AI developer environments is over. Config files that execute on folder open or session start now deserve the same code-review rigor we apply to GitHub workflows. At Snyk we’re already building the visibility, policy enforcement, and runtime protections to treat these AI surfaces with the seriousness they now demand. The attackers are moving at machine speed. Our defenses have to be faster. What are you doing in your org to secure AI-augmented developer workflows? #AppSec #AISecurity #DevSecOps #Snyk

AI is shipping code at machine speed, but is your governance still running on quarterly audits? 📈 As GenAI moves from pilot programs to core operations, financial institutions are facing a new speed of risk. Our latest whitepaper explores how to shift from reactive security to continuous governance that meets DORA, PCI DSS, and the EU AI Act requirements. Download the framework here: https://lnkd.in/eGgD8qkk

Attackers have compromised four key npm packages to deploy a sophisticated credential stealer. Using a malicious preinstall hook, the campaign fetches the Bun runtime to execute an 11.6 MB obfuscated payload ⛔️ This isn't just a passive stealer; it includes self-propagation code and creates dead-drop GitHub repositories tagged with the "Shai-Hulud" moniker to exfiltrate your data. If you see that string in your GitHub metadata, you've been hit. Snyk has already published advisories for all four packages. Run snyk test now to identify affected versions and block the execution chain before it spreads through your environment. 🔗 Deep dive into the deobfuscation here: https://lnkd.in/e2CGiHpN

It's now as simple as typing "/snyk-fix" with a Jira ticket as context into your coding assistant of choice to instantly trigger integrated remediation workflows ✅ We’re thrilled to partner with Atlassian to bridge the gap between Jira and your ADE, allowing developers to orchestrate AI-driven remediation without ever leaving their workspace. By leveraging Snyk Studio recipes and agentic skills, teams can now move beyond manual triaging to resolve vulnerabilities in minutes. Read the full blog to see how we're transforming DevSecOps into autonomous remediation: https://lnkd.in/eGirJ7Pg

As Snyk continues to pioneer the future of AI security, we are excited to share a strategic update regarding our leadership team. After seven impactful years as CEO, Peter McKay is transitioning into a role as Company Advisor. We are incredibly grateful for the foundation Peter has built nearly over a decade and look forward to his continued guidance in this next chapter. As we search for a permanent successor, our CFO, Kenneth MacAskill, will step into the expanded role of Interim CEO. Ken’s operational discipline and deep understanding of our business make him the ideal leader to maintain our momentum and oversee day-to-day operations during this transition. We are also thrilled to welcome our founder, Guy Podjarny, back to the Board of Directors as Chairman. Guy offers a distinctive blend of experience, drawing from his role as Snyk's founder and his work founding and leading an AI-native company.  His entrepreneurial energy and unique perspective will help further accelerate our AI strategy, ensuring Snyk remains at the forefront of the industry. We are energized by the road ahead and remain fully committed to our mission of helping developers build securely.

Lazy Governance, Data Poisoning, and Shadow AI are having a party in your tech stack, opening the door to rogue agents and attacks more rapidly than ever. Your old AppSec doesn't cut it in 2026 🥵 Thankfully, Evo AI-SPM offers the dynamic governance and remediation to reel it in. Watch how: https://lnkd.in/eCfRBMf4

Every builder has their preferences, but few topics are as contentious as this one. Vote below and speak your peace in the comments 💬

Randall Degges, Snyk's VP of AI Engineering and DevRel, recently built our new lead generation system in just three days. He estimates it'll save our team ~1,300 hours every year. Being an AI Security company requires more than just selling the vision. It means building with the tools ourselves; we believe in practicing what we preach. That's why Randall was eager to sit down with Brianna Monsanto from IT Brew to discuss the evolving build vs. buy debate and how Snyk is navigating this new era of internal AI development. Read the full story here: https://lnkd.in/eRqmK4rx