Snyk

Game ON! ⚽️ We just kicked off our Fan Zone tour on our home turf in Boston! From our Red Teaming challenge and vibe coding battles to our chatbot hack, the AI security competition was friendly, but the prizes were serious. Next stop: NYC 6/4 @ 2pm ET — are you game? Get on the Snyk Connect roster in a city near you: https://wc.snyk.io/

💥💡The attacker side of AI security has already gone agentic. The question is whether you get there first. Today we launched Evo Continuous Offensive Security (COS). Context-aware AI Pentesting that gets outside your applications before an autonomous attacker can do it for you. Not a scanner. A purpose-built offensive security system that already knows your code. Business logic flaws, BOLA, IDOR, authorization gaps. The vulnerabilities AI-generated code is pushing into production can't be found by pattern matching. You have to understand what an application is supposed to do before you can determine how to abuse it. Point solutions rushing into this market are reasoning blind, without your data flows, your deployment environment, your trust boundaries, or your prior scan history. They can't tell you whether a finding is theoretical or genuinely exploitable in your stack. That's not just a minor limitation; it's the whole problem! And it's why every security leader I talk to is asking the same thing: How do we get ahead of what attackers can now do at machine speed? The answer starts with context. Evo COS ingests everything the Snyk platform already knows about your code: SAST findings, SCA results, prior DAST scans, asset intelligence. It uses a coordinated system of offensive grade frontier models and Snyk's own purpose-built models to reason about where real risk lives. Then it connects findings into attack narratives. Not "here are 47 vulnerabilities." But "here are the three paths that matter, here's why, and here's what to do." Emburse is in production with it today. Clearer visibility into exploitable vulnerabilities and how they chain together, giving their team the ability to prioritize what actually matters. Some of the largest tech and fin svcs customers in the world have been a design partner. A typical pentest runs 15 days. Agentic attackers don't wait for the other 350. This is the shift from point-in-time testing to continuous offensive security. The era of annual pentests was designed for human development cycles. AI doesn't develop on that schedule, and neither do the attackers targeting it. More details: https://lnkd.in/ef4WwkQv

Today, we're excited to unveil Continuous Offensive Security, the newest product in the Evo by Snyk ecosystem. It brings AI-native pentesting to the enterprise. Scanners find bugs. Pentesters find exploits. That distinction has defined application security for two decades, and it's why the highest-impact vulnerabilities (broken auth, BOLA, privilege escalation, business logic abuse) still get found by attackers before defenders. You can't pattern-match a flaw; you have to reason about it. AI has changed what's possible on the defender's side. Evo Continuous Offensive Security brings reasoning-capable testing to the parts of your application where bugs end and flaws begin. It’s grounded in everything the Snyk platform already knows about your code, and paired with DAST so the AI focuses where reasoning actually matters. The full walkthrough is in the video below 🎥 Get all the details here: https://lnkd.in/e-SYkiUn

Today, we're unveiling Continuous Offensive Security, a part of the Evo by Snyk platform. The AI era demands new categories of security tooling, and Snyk is going to be the company that builds them. A little over a year ago, we stood up ETSO, the strategic lab inside Snyk to take on the hardest, most ambitious problems in AI security from first principles. The premise was simple: give a brilliant team the room to think big and build from scratch. Evo Continuous Offensive Security is the second product to graduate from that bet, following AI-SPM, and it's a great example of what happens when you invest in innovation. What our team built reasons about applications the way attackers do, finding the architectural flaws and business logic vulnerabilities that scanners simply can't see. It's the kind of capability that used to require an expensive human pentest twice a year. Now it runs continuously. To the team behind Evo COS: what an amazing accomplishment. I am incredibly proud of the Snyk team and want to thank our customers and design partners who shaped this in early access. Thank you for building this future with us. Read the announcement here: https://lnkd.in/ejnMJdW2

See you in the Fan Zone ⚽️ 🏆 This summer, we're bringing the Snyk Connect community together across the US and Canada for a series of meetups and watch parties you won't want to miss. Our Fan Zone Community Jams are part tournament, part tailgate, all defense. Expect live hacking and head-to-head AI security challenges, stadium-style eats, and giveaways worthy of a champion. Boston, New York, Chicago, Toronto, Atlanta, San Francisco, Charlotte, Twin Cities. Grab your spot here: https://wc.snyk.io/

🚨 Active supply chain attack: 700+ Laravel package versions compromised 🚨 An attacker rewrote historical Git tags across four laravel-lang/* packages, pointing them to a malicious fork. Packagist ingested them as legitimate releases. A hidden helpers.php file — autoloaded on every PHP request — downloads a credential stealer targeting cloud keys, .env files, SSH keys, Kubernetes tokens, browser logins, and more, then ships everything to an attacker-controlled server. Every version of laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions is affected. Packagist has unlisted the packages, but if you installed any of them between May 22–23, treat the environment as compromised. Run snyk test against your Composer repos now. If you’re a Snyk Enterprise customer, check Analytics → Remediation → Zero Day Report. If you’re affected: rebuild from clean images, rotate every credential your PHP process could read, and block flipboxstudio[.]info at your DNS and perimeter. Full IoCs and remediation guidance in our advisory. This is what makes supply chain attacks so effective — the official repo looked fine. The compromise happened in the publishing pipeline. Read the full report here: https://lnkd.in/edN7HXXD

ICYMI: The Snyk Security Desktop Extension is now available in Claude Desktop for macOS and Windows 🔐 Yesterday, we announced that Evo by Snyk integrates with Claude Enterprise, giving security and compliance teams cloud-side governance over their Claude environment. But we're also meeting builders and AI innovators exactly where they're working, embedding real-time scanning and vulnerability context directly into the Claude workflow. As Claude generates or edits code, Snyk surfaces actionable findings so you can catch issues at inception, not after they've already shipped. ▶️ Watch the video below to see how to connect Snyk to Claude Desktop. Read the full announcement: https://lnkd.in/eWDbgrnD

Real partnerships. Real customer value. Starting today, a new integration between Anthropic Claude Enterprise and Evo by Snyk allows enterprise security and compliance teams a view into every model, MCP server, and tool permission. It's a single view for comprehensive risk scores, usage breakdowns, and an audit trail your GRC team will love. Watch below to see comprehensive governance in action 🎥 Read more here: https://lnkd.in/eWDbgrnD

Our CRO Tom Nielsen sat down with Kyle Alspach at CRN to talk about what's keeping security teams up at night: AI coding agents are shipping code faster than security teams can review it. That's not a future problem; it's the reality reshaping how enterprises think about risk right now. Partners embedded directly in customer environments are uniquely positioned to help govern AI-driven development at scale. Mark Thornberry, SVP of Partnerships at GuidePoint Security, joined the conversation and put it well: the big questions customers are asking right now are "How is AI being used? How can it impact my business? And what do I need to go do?" Read the full story here: https://lnkd.in/eMTy8brd

Another day another critical compromise ‼️ Yesterday we published coverage of the AntV npm supply chain attack. Today, the same campaign appears to have reached PyPI. `durabletask`, a Microsoft-associated Python package for workflow orchestration, was found to contain a malicious payload acting as a dropper. It fetches a second-stage payload (`rope.pyz`) from an attacker-controlled server, then executes a full infostealer targeting cloud provider credentials, password managers, and developer tools. The same release also includes a worm component and a disk wiper. The credential harvesting runs on Linux systems only. Snyk has catalogued this under SNYK-PYTHON-DURABLETASK-16761538 and has the package health page updated. Snyk customers can review exposure through the “Active Security Incident Assessment for Antv Supply Chain Compromise - May 2026” Zero Day Report in-app. With ~103K weekly downloads, the direct blast radius of this specific compromise is relatively contained. That said, the pattern of a campaign progressively targeting higher-profile and more broadly trusted package ecosystems warrants attention. Full details and detection steps: https://lnkd.in/dJn2fAT8