Boom 💥. The injected prompt silently appends `;whoami` to the command. Payload executed. Command injection triggered. Game over. Want to see how it works? 👉

The dev asks Cursor to list their S3 buckets. A tool call pops up. Looks normal. You click approve. Who wouldn’t? 🖱️

What do you want to know?.

Inside:.✅ Code to upload a file to an S3 bucket.💣 A prompt injection payload (sneaky). It enters the IDE context when the user references the file.

A seemingly harmless repo is cloned. 👇

Meet aws-mcp-server — an MCP server that lets your AI assistant interact with AWS via CLI. It used to have a command injection vulnerability (now fixed). A dev adds it to Cursor locally. No network exposure. What could go wrong?

Prompt Injection + Classic Vulns = A NEW Threat! 🤯 . Our Sec Labs team found ways to weaponize prompt injections to exploit vulnerabilities in real MCP servers. See how an unsuspecting dev gets owned, step-by-step. 🧵

AI-assisted development is changing the game — but traditional security struggles to keep up. Join us for a deep dive into the risks of Vibe Coding & how to secure your AI-powered SDLC. Save your seat 👉

We are LIVE on Youtube! Join us to see a demo of our new platform capabilities for securing AI development. See how to gain visibility with Snyk AI-BOM and proactively mitigate AI risks:

🚨 New threat: Persistent prompt injection with poisoned vector databases!. Discover how “RAGPoison” exposes this risk and learn how to protect your LLMs. Read more: #RAGPoison #PromptInjection #Cybersecurity.

Where visionaries, security & software pros unite to shape trusted AI: @AISecSummit — brought to you by Snyk and @aiDotEngineer. Execs or practitioners, our tailored tracks deliver hands-on workshops & practical AI security solutions. Learn more:

🕵️‍♂️ Can you spot the security issue?. As more devs use LLMs for coding, securing that code is critical. Snyk scans, finds & fixes vulnerabilities in both human- and AI-generated code before they become real threats. Extra credit: Human or AI — who wrote this code? 🤔

Not sure how to add MCP servers to Claude Code CLI? . Our very own Brian Clark breaks it down step-by-step in this quick walkthrough. It's perfect if you're just getting started or want a smoother setup. Watch now. 👇.

We came, we launched, we leveled up at #BlackHat2025. ✅ 3 product launches.✅ GenAI security deep dives.✅ Packed booth.✅ Named a @FortuneMagazine + @EvolutionEquity Top 50 Cybersecurity Company.✅ Featured in @CRN's 10 Cool New Security Products.

AI is accelerating but so are the risks. Join the AI Security Summit in SF Oct 22–23 to explore how we build and secure AI systems we can trust. From policy to prompt injection, it's where the future of AI security takes shape.

Major credit to the NixOS, Lix, and Guix teams for their incredibly fast response and for issuing patches to fix the issues. Want to see the full exploit chain, from file descriptor exfiltration to root shell? Read the full technical deep dive on our blog:

With arbitrary directory deletion, we targeted /tmp to race another Nix build process. This second race allowed us to hijack a chown call, letting us change the ownership of any file on the system to a user we controlled. The target? /etc/pam.d.

This foothold allowed us to create a classic Time-of-Check, Time-of-Use (TOCTOU) race condition. By modifying a directory while the garbage collector was running, we could trick a privileged Nix process into emptying any directory on the system.

Our path to root began by looking at failed builds. We found that we could exfiltrate a file descriptor from a sandboxed build process, giving us the ability to modify a directory inside the supposedly immutable /nix/store even after the build was finished!.

We just dropped a deep dive on a series of vulnerabilities the Snyk Security Labs team found in NixOS! . When chained together, they allow for a full privilege escalation from any user to root on a default installation. #NixOS #Linux #infosec #vulnerability.

📢 Big news: We're partnering with @Akamai to solve a major challenge in app security. Our new integration automates API discovery, letting you ingest comprehensive API inventories and schemas from Akamai directly into Snyk for one-click scanning.