This is our fourth threat intelligence post. When appropriate, we will aim to share some wider industry news that might impact our clients.
We initially thought about doing this weekly, but after a few weeks of it realised it would just become a small list of links, which has some value, but going forward we will only be sharing when there is something actionable for our clients.
We will be covering; JavaScript, Postgres, Heroku, Render, Cloudflare, and GitHub, as well as wider geopolitical points. We cover mostly security and attack related news, but also sometimes the ecosystem in which the tech runs in.
If you want to view previous issues of this, you can check out our Threat Intelligence area.
JavaScript
The Shai-Hulud malware infecting NPM packages as part of a supply chain attack is back, this writeup from Gitlab is worth a read if you want to understand more about it from a technical level. From a practical standpoint, be extra caution with what dependencies you are updating in your projects. We recently wrote about a cooldown setting you can use in Dependabot to only attempt to add dependencies that have been in the wild for so long (so, hopefully, tested and well patched).
Postgres
Postgres 13 recently became end of life, this means no more security updates or support. Hopefully you don’t have anything running on 13 by this stage, but always worth checking in and planning an upgrade.
Most of the time if you’re doing standard postgres “stuff”, upgrades are fairly painless.
Heroku
Back in October Heroku had some issues that brought down parts of their service. They’ve since shared a writeup. Short-term this includes them working on improved circuit breakers and better communication around incidents. Both seem like good improvements to make.
Heroku were the defacto hosting environment for lots of projects, especially Ruby on Rails, many folk have stuck with them because they were the easy option. This incident aside, it is always worth considering if your hosting company are still the best option. Quite a few of our clients have moved off Heroku this past year.
Render
Good to know that Render now supports Postgres 18, no immediate reason to upgrade if your version of Postgres is still in support, but there are some lovely new features and improvements if you needed a nudge!
Cloudflare
Cloudflare managed to bring down half of the internet recently! (hyperbole alert!) The root cause was a permission change on one of their database systems. Cloudflare have written a good writeup of the event. No immediate action needed on your part, but worth considering which bits of your stack were impacted by things like this and understanding what mitigations can be in place.
This was a particularly interesting issue since the Cloudflare console was also down, so you couldn’t change DNS settings away from Cloudflare even if you wanted to.
GitHub
To help mitigate against supply chain attacks like we mentioned above, GitHub continue to improve their handling of NPM tokens. Important here is that this impacts tokens used during NPM operations, not Github tokens such as personal access tokens.
GitHub released their availability report for October, nothing too worrisome. I wanted to share because this is a good example of transparency and might be worth something your team considers adopting. Sharing a quick “why” shows you care.
Wider / Misc notes
The UK government’s budget is due to be announced today, early signs are pointing to potentially more strain on businesses. It is tempting to deprioritise IT spend when projections are looking tight, but you only have to look at the various cyberattacks getting reported all the time that are often due to overstretched IT teams dropping the ball. We always advise our clients to do an honest risk assessment exercise before thinking about cutting corners with IT or software.
About this post
Knowing some of the wider issues within your application’s ecosystem can help you plan for the future and act appropriately.
One of the roles we perform for some of our clients is being that trusted source of knowing some of the wider ecosystem challenges.
For years we have been doing this in various ways. Formal quarterly briefings, ad hoc “heads-up” emails, or silently adjusting the roadmap to accommodate wider context changes.
Since most of our clients share common attributes, we mostly do Ruby development, mostly deploy to a couple of vendors, etc. etc. it makes sense to share this knowledge in one place so that others may benefit from it.
If you’ve found this post useful, but don’t have availability on your team to consider it more, please do get in touch as we might be able to help.
Some disclaimers
This is for general information, and just because we share something doesn’t mean we agree or disagree with it, it just means it is a thing to be aware of.
This post doesn’t claim to be a summary of absolutely everything that has happened, we are human and we will miss things, or forget to write about things we’ve seen.
To our clients
We will never share here something specific to one client, and this doesn’t replace whatever we are currently doing for you, and don’t worry, we are compiling this in our personal time!
What is threat intelligence
Threat intelligence is evidence-based knowledge that provides context, indicators, and action-oriented advice on both existing and emerging threats to your systems.
The point of the intelligence is to help businesses make more informed decisions about their roadmap and future plans.