Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Snyk VulnBench JS 1.0: Can LLMs Find the Same Bugs Twice?

We ran 300 vulnerability-finding scans to measure how repeatable an agentic LLM security review is on the same code, prompt, and harness. The headline result is not that one scanner "wins" a self-referential leaderboard. It is that LLM security findings are unevenly repeatable: reference-matched findings were stable, but extra-model reports varied widely from run to run.

GLM 5.2 vs Opus 4.8: Cheaper AI Code, Hidden Risks?

GLM 5.2 just launched from Z.ai, and it might be one of the biggest threats yet to the frontier model premium. It’s open, significantly cheaper than Claude Opus 4.8, and claims to deliver near-frontier coding performance across major benchmarks. But benchmarks only matter if the model can actually build something production-ready.

NVD in the AI Era: The Case for Multi-Source Vulnerability Intelligence

For over twenty years, the global security community has operated under a single, comfortable assumption: that a centralized public source could help track, analyze, and enrich the world’s software vulnerabilities at the pace the industry needed. When the National Vulnerability Database (NVD) was established, the open source vulnerability lifecycle moved at a radically different pace.

The New Security Control Point: Governing AI Agents Inside the Execution Loop

As organizations adopt AI agents to build software, security teams face a new challenge: risk is no longer introduced only through the code that gets produced. It emerges continuously through the tools agents use, the actions they take, and the code they generate. This is the problem Evo Agentic Development Security (ADS) was designed to solve. ADS secures all three layers of the agentic development system—what agents use, what they do, and what they generate.

Announcing Agentic Development Security (ADS)

Today, we're announcing Agentic Development Security (ADS), a new Evo solution designed for securing AI-driven software development. AI agents are now active participants in the software development process, selecting tools, executing actions across systems, and generating production-ready code at machine speed.

What nearly 10,000 developer environments reveal about agentic development risk

For years, application security teams have focused on a familiar set of questions: Is the code secure? Are the dependencies vulnerable? Is the build pipeline protected? Are issues being caught before they reach production? Agentic development adds a new question: What systems, tools, instructions, and permissions helped produce this code? AI coding agents are no longer just suggesting snippets or completing lines of code.

How to Setup AI Rules, Skills, Hooks and MCPs

In this video, we break down how to properly set up and use AI extension points - specifically MCP (Model Context Protocol) servers, Rules, Skills, and Hooks - to supercharge your development workflow. Using practical, security-flavored examples with Claude Code and Snyk, you'll learn how to configure a local project environment that automatically catches vulnerabilities before they ever hit your codebase. Whether you use the Claude CLI, VS Code extensions, or alternate AI ecosystems like Cursor or Gemini, you can use these exact steps as a blueprint to automate any workflow in your project.

A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope

An attacker republished the entire @mastra npm scope on June 17, 2026, slipping a single malicious dependency into 143 packages and counting, including @mastra/core, which pulls roughly 4 million downloads a month and has hundreds of dependent projects. The injected dependency, easy-day-js, is a dayjs lookalike whose install hook disables TLS verification, downloads a second-stage payload from a raw IP address, and runs a cross-platform cryptocurrency stealer in the background.

The Government Just Banned an AI Model. An Engineer's Perspective.

I've spent the better part of three years wiring AI into how my teams build and ship software. So when the news broke this week that the US government had effectively switched off an AI model, I was legitimately shocked. Not for one country. Not for one company. For everyone on the planet, all at once. Three days. That's how long Anthropic's Fable 5 and Mythos 5 models were available before the government ordered them shut off for everyone.