Snyk

On May 14, 2026, multiple malicious versions of the popular npm package node-ipc were published to the npm registry. Current public reporting identifies node...

On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC token extraction from runner memory — producing the first npm supply chain attack with valid SLSA Build Level 3 attestations. Here's what happened, what was stolen, and what you need to do right now.

Foreign Filing filed 2026-05-05

A malicious release of the lightning PyPI package ships a credential-stealing Bun payload that runs on import. Snyk has a live advisory. Here's what's in the package, what to rotate, and how the payload pattern connects to the Mini Shai-Hulud npm campaign one day earlier.

A new npm supply chain attack self-branded "Mini Shai-Hulud" compromised four SAP-ecosystem packages on April 29, 2026. Snyk has live advisories. Here's the technical breakdown, IOCs, and what to do.

CVE-2026-40478: The Thymeleaf template injection (CVSS 9.1) is conditional. Patch to 3.1.4+ immediately, and audit your code for dynamic view or template expression misuse, which is the key precondition for exploitability.

Bridge the gap to autonomous fixes. Snyk and Atlassian integrate to transform Jira security tickets into precision fixes using Snyk Studio AI, eliminating context switching and resolving vulnerabilities in minutes.

Foreign Filing filed 2026-04-29

Attackers exploited a GitHub Actions script injection vulnerability to publish a malicious version of the elementary-data Python CLI (v0.23.3), embedding a credential-stealing backdoor that targeted dbt profiles, cloud provider keys, and SSH secrets from data engineering environments.

Two authentication bypass vulnerabilities (CVE-2026-3965, CVE-2026-4047) in the Qinglong task scheduling panel were exploited in the wild to deploy cryptomining malware. Here's what happened, how the attacks worked, and what self-hosted application operators should learn from this incident.

Snyk Agent Fix upgrades to a new agentic architecture for faster, smarter, and more secure AI-powered code fixes. Now with full Snyk Code language coverage and verified remediation.