Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Modern development teams are currently drowning in security debt, often trapped in a manual, fragmented cycle of "find and fix" that slows down innovation. Even when equipped with high-fidelity vulnerability data, traditional workflows require developers to constantly context-switch between Jira tickets and their codebases to manually implement and test patches.

The Thymeleaf vulnerability with a CVSS score of 9.1 grabs your attention, as it should. But before you call the cavalry and claim this as the new Log4shell, read this first. CVE-2026-40478 is a server-side template injection vulnerability in Thymeleaf. Thymeleaf is a templating engine in Java that is used for server-side webpage rendering. The sandbox that normally prevents arbitrary code execution got bypassed using a tab character. And yes, this can lead to a remote code execution if exploited.

On April 29, 2026, attackers published malicious versions of four npm packages in the SAP development ecosystem: mbt, @cap-js/db-service, @cap-js/sqlite, and @cap-js/postgres. Each compromised release ships a preinstall hook that downloads the Bun JavaScript runtime from GitHub Releases and uses it to execute an ~11.6 MB obfuscated credential stealer.

In early February 2026, users of Qinglong (青龙), a popular open source timed task management platform with over 19,000 GitHub stars, began reporting that their servers were maxing out CPU usage. The cause was a cryptominer binary called.fullgc, deployed through two authentication bypass vulnerabilities that allowed unauthenticated remote code execution. The attacks went largely unnoticed in the English-speaking security community.

JPMorganChase's Global Technology Leadership published "Fortifying the enterprise: 10 actions to take now for AI-ready cyber resilience" on April 17, 2026. It's a CISO mandate for every large enterprise. Snyk directly addresses 8 of those 10 actions — out of the box, in the developer workflow, with one platform.

In the modern software development lifecycle, the speed of innovation is often at odds with the security of our most sensitive data. As organizations embrace cloud-native development and AI-generated code, they face a phenomenon known as “secret sprawl”, aka, the uncontrolled and widespread distribution of API keys, passwords, and tokens across repositories, CI/CD logs, and developer collaboration tools.

Anthropic just open-sourced vulnerability discovery at scale. Now what? A few weeks ago, Anthropic launched Glasswing, a $100 million initiative to use AI to identify vulnerabilities at scale. Around the same time, they introduced Claude Mythos, a system that can autonomously discover and exploit software flaws. I wrote about this trajectory in my previous analysis: AI accelerates discovery, but enterprise trust still depends on deterministic validation, remediation automation, and governance at scale.

In November, we shared our vision for the Future of Snyk Container, outlining a fundamental shift in how teams secure the modern container lifecycle. We promised a future where security doesn’t just “scan” but scales effortlessly with the speed of the AI-driven, agentic world. Today, we are thrilled to announce that we are moving from vision to reality.

For a brief window, a widely used open source package in the AI ecosystem was compromised with credential-stealing malware. LiteLLM, a model gateway used to route requests to more than 100 LLM providers, has been downloaded millions of times per day. In that short window, the malicious versions were likely pulled tens of thousands of times before being caught.

In 2025, we embarked on a new journey to secure the most important technology transformation of this decade – generative AI. Our vision is to help companies secure their AI fast, so that they can innovate on the cutting edge and put AI and agentic use cases into production. To do this, we built Evo, the world’s first agentic orchestrator for AI security. The foundation of any product is customer needs.