Vulnerabilities

Learn more about vulnerabilities and exploits from our dedicated security team and others.

Snyk finds 200+ malicious npm packages, including Cobalt Strike dependency confusion attacks

Snyk recently discovered overt 200 malicious packages in the npm registry. While we acknowledge that vulnerability fatigue is an issue for developers, this article is not about the typical case of typosquatting or random malicious package. This article shares the findings of targeted attacks aimed at businesses and corporations that Snyk was able to detect and share the insights.

May 24, 2022

How LiveRamp used Snyk to remediate Log4Shell

When Log4Shell hit in mid-December 2021, LiveRamp had just completed its POC (proof of concept) trial with Snyk. While LiveRamp’s main motivation for deploying Snyk was to secure its CI/CD pipeline, Snyk was able to discover and remediate this major zero-day exploit.

May 19, 2022

Targeted npm dependency confusion attack caught red-handed

Once in a while we encounter a truly malicious package that has a purpose, means, and is production-ready — this is a story about one found in npm: gxm-reference-web-auth-server.

April 29, 2022

Under the C: A glance at C/C++ vulnerabilities in Python land

In this post, we'll discuss why developers include native C/C++ extensions in their high-level language projects. Then, we'll use Python and the PyPI registry to detect hidden C-related vulnerabilities in higher-level language projects and reveal how low-level vulnerabilities can impact higher-level code.

April 28, 2022

Browsers tormented by open roll vulnerability

The open-roll vulnerabilty shows why you should never click unexpected links!

April 1, 2022

Alert: LaughTilYouCry ransomware sabotages npm package (with puns)

Alert: Faxios has been breached by the LaughTilYouCry ransomware, which has flooded the hard drives of users with horrible puns and dad jokes.

April 1, 2022

Spring4Shell: The zero-day RCE in the Spring Framework explained

On March 30, 2022, a critical remote code execution (RCE) vulnerability was found in the Spring Framework. More specifically, it is part of the spring-beans package, a transitive dependency in both spring-webmvc and spring-webflux. This vulnerability is another example of why securing the software supply chain is important to open source. Security resources like Lunasec,

March 31, 2022

Spring4Shell: What we know about the Java RCE vulnerability

Spring4Shell or SpringShell is a credible RCE vulnerability in spring-beans package, which is part of Spring Core. This is a key enabler of the inversion of control (IoC) capabilities of Spring. This is often referred to as dependency injection.

March 30, 2022

Protestware is trending in open source: 4 different types and their impact

A few days ago, Snyk reported on a new type of threat vector in the open source community: protestware. The  advisory was about a transitive vulnerability — peacenotwar — in node-ipc that impacted the supply chain of a great deal of developers. Snyk uses various intel threat feeds and algorithms to monitor chatter on potential

March 21, 2022

dompdf security alert: RCE vulnerability found in popular PHP PDF library

A major RCE vulnerability has been identified in PHP library dompdf. Code can be loaded into an application and then remotely executed whilst a PDF is being generated.

March 18, 2022

Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine

Vue.js users using the dependency “node-ipc” are experiencing a supply chain attack protesting the invasion of Ukraine, from a package named “peacenotwar”.

March 16, 2022