This is our fifth threat intelligence post. When appropriate, we will aim to share some wider industry news that might impact our clients.
We will be covering; JavaScript, Heroku, and GitHub, as well as wider geo-political points. We cover mostly security and attack related news, but also sometimes the eco-system in which the tech runs in.
If you want to view previous issues of this, you can check out our Threat Intelligence area.
JavaScript
Axios, a popular JavaScript HTTP client, was involved in a supply chain attack. The person who fell victim to the attack has shared a post-mortem, which includes some information on how they were hacked.
If you use Axios you should check if you had an impacted version and if you do, assume your computer has been compromised and rotate secrets as needed.
There are some excellent reasons to need Axios, but some projects adopted it when other tooling wasn’t readily available. It is always worth checking if you need all of your dependencies or if your frameworks have better ways for dealing with things like network requests now.
If you use a tool to handle dependency management like Dependabot, make sure you’ve enabled a cooldown. You can do the same within npm/yarn/etc you can add a cooldown, check with the documentation for your tooling for more details.
The final thing I would say is the person who got attacked is clearly very smart, and from their writeup it is clear this was a sophisticated attack over time with some very realistic setup. Don’t think this isn’t something that could happen to you, it could.
Heroku
This isn’t necessarily a threat in the cyber security sense, but we’ve been advising clients to consider a move off Heroku since the company has went into a maintenance mode. No immediate action needed, but we’d strongly advise having this on your radar, especially if your infrastructure is heavily tied to Heroku-specific setup, such as buildpacks.
GitHub
GitHub’s service levels have been pretty dire recently. They acknowledged this in a blog post last month. Serious uptime incidents aside, the general usability seems to be getting worse.
At the time of writing, a more accurate uptime tool than GitHub’s own service is showing 89.47% uptime over the past 90 days for all GitHub related services. Not a good look.
No immediate action needed, but it is something worth keeping an eye on if your team spends any amount of time in GitHub.
Wider / Misc notes
At the time of writing this post, the US and Israel have entered into a ceasefire with Iran, but it is worth noting that outside of the terrible loss of human life, there has been a direct threat to technical infrastructure, coupled with the costs of compute rising.
Last month Google released a blog post Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition. It is an excellent read if you want a long list of things to consider hardening in your enterprise. Smaller companies will struggle with the scope of a post like this, try to make technical decisions that get you closer to being prepared.
About this post
Knowing some of the wider issues within your application’s ecosystem can help you plan for the future and act appropriately.
One of the roles we perform for our clients is being that trusted source of knowing some of the wider ecosystem challenges.
For years we have been doing this in various ways. Formal quarterly briefings, ad hoc “heads-up” emails, or silently adjusting the roadmap to accommodate wider context changes.
Since most of our clients share common attributes, we mostly do Ruby development, mostly deploy to a couple of vendors, etc. etc. it makes sense to share this knowledge in one place so that others may benefit from it.
If you’ve found this post useful, but don’t have availability on your team to consider it more, please do get in touch as we might be able to help.
Some disclaimers
This is for general information, and just because we share something doesn’t mean we agree or disagree with it, it just means it is a thing to be aware of.
This post doesn’t claim to be a summary of absolutely everything that has happened, we are human and we will miss things, or forget to write about things we’ve seen.
To our clients
We will never share here something specific to one client, and this doesn’t replace whatever we are currently doing for you, and don’t worry, we are compiling this in our personal time!
What is threat intelligence
Threat intelligence is evidence-based knowledge that provides context, indicators, and action-oriented advice on both existing and emerging threats to your systems.
The point of the intelligence is to help businesses make more informed decisions about their roadmap and future plans.