Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Security issues in software development often stem not from developers’ lack of concern but from a fundamental disconnect between development and security teams. Each wants to do their job well, but their goals and expectations frequently conflict. This misalignment costs organizations in heightened security risks and tangible operational setbacks. Security issues identified too late in the cycle delay releases and increase project costs.

This is an ongoing incident and updates will be provided as more information is confirmed.

We’re excited to announce that Snyk has been recognized as a Leader in the Forrester Wave: Static Application Security Testing (SAST) Solutions, Q3 2025. This recognition affirms our place at the forefront of developer-first security — and highlights the innovation, customer impact, and platform breadth that continue to set us apart.

On Monday, September 8th, a highly regarded open source developer, ~qix, was compromised via a phishing email. ~qix is an author and maintainer behind a large number of popular npm packages and found himself caught by this attack after responding to a message from the email address of support help. This resulted in the attacker taking over his npm account and having access to publish malicious versions of packages to which Qix had privileged access.

As the summer winds down and conversation around AI Security heats up, the Snyk team is in full swing planning mode for a double-header this October—with the return of DevSecCon’s Flagship conference, focusing this year on Securing the Shift to AI Native, and serving as the founding partner of the inaugural AI Security Summit.

On August 26–27, 2025 (UTC), eight malicious Nx and Nx Powerpack releases were pushed to npm across two version lines and were live for ~5 hours 20 minutes before removal. The attack also impacts the Nx Console VS Code extension.

Prioritizing which vulnerabilities to fix across your application isn't always easy. Is it exploitable? Is it reachable? Will the update introduce breaking changes? Are there any other teams using this library that you should be aware of? What does the backlog look like if other changes need to be made? And that's just this week. Next week, it'll be the same thing all over again, with new discoveries, new version releases, and maybe even a new cybersecurity breach.

We're witnessing a paradigm shift from reactive security tools to proactive, intelligent defenders. AI agents represent the next evolution beyond traditional security systems, fundamentally changing how we approach cybersecurity.

Did developers steal the spotlight of agentic workflows with the wave of AI coding assistants sweeping the media, startups, and tech? What about DevOps workflows, container security, and operating system vulnerability scanning? One of the most time consuming tasks of application security engineers and those responsible for production artifacts is tracking Common Vulnerabilities and Exposures (CVEs) and in what way they impact a bundled application.

Federal agencies are moving fast to unlock AI's potential—from improving citizen services to driving mission outcomes. But with all that innovation comes a new wave of complexity and risk. Security, trust, and transparency can’t be afterthoughts. They need to be part of the build and AI adoption process from day one. AI-driven development is exponentially increasing both code speed and code insecurity, as AI generates code with up to 40% more vulnerabilities than human developers.