Learn more about vulnerabilities and exploits from our dedicated security team and others.
Last week the imaginable happened. A malicious package, flatmap-stream, was published to npm and was later added as a dependency to the widely used event-stream package by user right9ctrl. Some time, and 8 million downloads later, applications all over the web were unwittingly running malicious code in production. We wrote some early thoughts on our […]
A widely used npm package, event-stream, has been found to contain a malicious package named flatmap-stream. This was disclosed via a GitHub issue raised against the source repo. The event-stream package makes creating and working with streams easy, and is very popular, getting roughly 2 million downloads a week. The malicious child package has been […]
The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects.
Snyk identified and responsibly disclosed a directory traversal vulnerability found in FTP clients that connect to malicious servers. This post contains the full details of the vulnerability and what you can do to avoid it.
The OWASP Top 10 is a well known index of web app security vulnerabilities which is used every day by security professionals, but it doesn't currently take into account how often those vulnerabilities are used by hackers. We dug through security breach records to see which vulnerabilities are exploited most frequently.
Last month, we added a high-severity Prototype Override Protection Bypass vulnerability in the qs package to our database. The fix was released in updated versions of the library about a week ago. This post explains the vulnerability and how to mitigate it. qs is a popular npm package—just under 40 million downloads over the past […]