Vulnerabilities

Understanding filesystem takeover vulnerabilities in npm JavaScript package manager

On the 11th of December, 2019  a security vulnerability which extends to all major JavaScript package managers (npm, yarn and ...

Malicious packages found to be typo-squatting in Python Package Index

Two malicious packages were removed from the Python Package Index (PyPI) this week. These packages, jeIlyfish (a misspelling of the ...

Snyk Unifies Open Source and Container Security for Coveo

It’s an exciting time for our team with the recent launch of Snyk Container and just coming back from KubeCon. ...

See Snyk and GitHub in action at GitHub Universe

At Snyk, we are committed to building security tools that help developers shift security left to embrace security and quality ...

Why npm lockfiles can be a security blindspot for injecting malicious modules

I recently started playing around with the idea of threat modeling packages on the npm ecosystem. Can an event-stream incident ...

Sequelize ORM npm library found vulnerable to SQL Injection attacks

Object-Relational Mappers, also commonly referred to as ORMs, are a set of SQL libraries that help developers manage their database ...

Code execution back door found in Ruby's rest-client library

On August 19th, 2019 rest-client, a simple HTTP and REST client for Ruby, reported a new security threat. A maintainer’s ...

Jackson Deserialization Vulnerability

On July 29th, 2019 a high severity Deserialization of Untrusted Data vulnerability ( CVE-2019-14379, CVE-2019-14439) affecting all versions of com.fasterxml.jackson.core:jackson-databind ...

A year-old dormant malicious remote code execution vulnerability discovered in Webmin

On August 17, 2019, the Webmin team announced the release of Webmin 1.930 and Usermin 1.780. These releases address a ...