Tosbourn – Belfast based Ruby developers

Threat Intelligence Issue 5

toby@tosbourn.com — Wed, 08 Apr 2026 00:00:00 +0000

This is our fifth threat intelligence post. When appropriate, we will aim to share some wider industry news that might impact our clients.

We will be covering; JavaScript, Heroku, and GitHub, as well as wider geo-political points. We cover mostly security and attack related news, but also sometimes the eco-system in which the tech runs in.

If you want to view previous issues of this, you can check out our Threat Intelligence area.

JavaScript

Axios, a popular JavaScript HTTP client, was involved in a supply chain attack. The person who fell victim to the attack has shared a post-mortem, which includes some information on how they were hacked.

If you use Axios you should check if you had an impacted version and if you do, assume your computer has been compromised and rotate secrets as needed.

There are some excellent reasons to need Axios, but some projects adopted it when other tooling wasn’t readily available. It is always worth checking if you need all of your dependencies or if your frameworks have better ways for dealing with things like network requests now.

If you use a tool to handle dependency management like Dependabot, make sure you’ve enabled a cooldown. You can do the same within npm/yarn/etc you can add a cooldown, check with the documentation for your tooling for more details.

The final thing I would say is the person who got attacked is clearly very smart, and from their writeup it is clear this was a sophisticated attack over time with some very realistic setup. Don’t think this isn’t something that could happen to you, it could.

Heroku

This isn’t necessarily a threat in the cyber security sense, but we’ve been advising clients to consider a move off Heroku since the company has went into a maintenance mode. No immediate action needed, but we’d strongly advise having this on your radar, especially if your infrastructure is heavily tied to Heroku-specific setup, such as buildpacks.

GitHub

GitHub’s service levels have been pretty dire recently. They acknowledged this in a blog post last month. Serious uptime incidents aside, the general usability seems to be getting worse.

At the time of writing, a more accurate uptime tool than GitHub’s own service is showing 89.47% uptime over the past 90 days for all GitHub related services. Not a good look.

No immediate action needed, but it is something worth keeping an eye on if your team spends any amount of time in GitHub.

Wider / Misc notes

At the time of writing this post, the US and Israel have entered into a ceasefire with Iran, but it is worth noting that outside of the terrible loss of human life, there has been a direct threat to technical infrastructure, coupled with the costs of compute rising.

Last month Google released a blog post Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition. It is an excellent read if you want a long list of things to consider hardening in your enterprise. Smaller companies will struggle with the scope of a post like this, try to make technical decisions that get you closer to being prepared.

About this post

Knowing some of the wider issues within your application’s ecosystem can help you plan for the future and act appropriately.

One of the roles we perform for our clients is being that trusted source of knowing some of the wider ecosystem challenges.

For years we have been doing this in various ways. Formal quarterly briefings, ad hoc “heads-up” emails, or silently adjusting the roadmap to accommodate wider context changes.

Since most of our clients share common attributes, we mostly do Ruby development, mostly deploy to a couple of vendors, etc. etc. it makes sense to share this knowledge in one place so that others may benefit from it.

If you’ve found this post useful, but don’t have availability on your team to consider it more, please do get in touch as we might be able to help.

Some disclaimers

This is for general information, and just because we share something doesn’t mean we agree or disagree with it, it just means it is a thing to be aware of.

This post doesn’t claim to be a summary of absolutely everything that has happened, we are human and we will miss things, or forget to write about things we’ve seen.

To our clients

We will never share here something specific to one client, and this doesn’t replace whatever we are currently doing for you, and don’t worry, we are compiling this in our personal time!

What is threat intelligence

Threat intelligence is evidence-based knowledge that provides context, indicators, and action-oriented advice on both existing and emerging threats to your systems.

The point of the intelligence is to help businesses make more informed decisions about their roadmap and future plans.

Threat Intelligence Issue 4

toby@tosbourn.com — Wed, 26 Nov 2025 00:00:00 +0000

This is our fourth threat intelligence post. When appropriate, we will aim to share some wider industry news that might impact our clients.

We initially thought about doing this weekly, but after a few weeks of it realised it would just become a small list of links, which has some value, but going forward we will only be sharing when there is something actionable for our clients.

We will be covering; JavaScript, Postgres, Heroku, Render, Cloudflare, and GitHub, as well as wider geopolitical points. We cover mostly security and attack related news, but also sometimes the ecosystem in which the tech runs in.

If you want to view previous issues of this, you can check out our Threat Intelligence area.

JavaScript

The Shai-Hulud malware infecting NPM packages as part of a supply chain attack is back, this writeup from Gitlab is worth a read if you want to understand more about it from a technical level. From a practical standpoint, be extra caution with what dependencies you are updating in your projects. We recently wrote about a cooldown setting you can use in Dependabot to only attempt to add dependencies that have been in the wild for so long (so, hopefully, tested and well patched).

Postgres

Postgres 13 recently became end of life, this means no more security updates or support. Hopefully you don’t have anything running on 13 by this stage, but always worth checking in and planning an upgrade.

Most of the time if you’re doing standard postgres “stuff”, upgrades are fairly painless.

Heroku

Back in October Heroku had some issues that brought down parts of their service. They’ve since shared a writeup. Short-term this includes them working on improved circuit breakers and better communication around incidents. Both seem like good improvements to make.

Heroku were the defacto hosting environment for lots of projects, especially Ruby on Rails, many folk have stuck with them because they were the easy option. This incident aside, it is always worth considering if your hosting company are still the best option. Quite a few of our clients have moved off Heroku this past year.

Render

Good to know that Render now supports Postgres 18, no immediate reason to upgrade if your version of Postgres is still in support, but there are some lovely new features and improvements if you needed a nudge!

Cloudflare

Cloudflare managed to bring down half of the internet recently! (hyperbole alert!) The root cause was a permission change on one of their database systems. Cloudflare have written a good writeup of the event. No immediate action needed on your part, but worth considering which bits of your stack were impacted by things like this and understanding what mitigations can be in place.

This was a particularly interesting issue since the Cloudflare console was also down, so you couldn’t change DNS settings away from Cloudflare even if you wanted to.

GitHub

To help mitigate against supply chain attacks like we mentioned above, GitHub continue to improve their handling of NPM tokens. Important here is that this impacts tokens used during NPM operations, not Github tokens such as personal access tokens.

GitHub released their availability report for October, nothing too worrisome. I wanted to share because this is a good example of transparency and might be worth something your team considers adopting. Sharing a quick “why” shows you care.

Wider / Misc notes

The UK government’s budget is due to be announced today, early signs are pointing to potentially more strain on businesses. It is tempting to deprioritise IT spend when projections are looking tight, but you only have to look at the various cyberattacks getting reported all the time that are often due to overstretched IT teams dropping the ball. We always advise our clients to do an honest risk assessment exercise before thinking about cutting corners with IT or software.

About this post

Knowing some of the wider issues within your application’s ecosystem can help you plan for the future and act appropriately.

One of the roles we perform for some of our clients is being that trusted source of knowing some of the wider ecosystem challenges.

For years we have been doing this in various ways. Formal quarterly briefings, ad hoc “heads-up” emails, or silently adjusting the roadmap to accommodate wider context changes.

If you’ve found this post useful, but don’t have availability on your team to consider it more, please do get in touch as we might be able to help.

Some disclaimers

This is for general information, and just because we share something doesn’t mean we agree or disagree with it, it just means it is a thing to be aware of.

This post doesn’t claim to be a summary of absolutely everything that has happened, we are human and we will miss things, or forget to write about things we’ve seen.

To our clients

We will never share here something specific to one client, and this doesn’t replace whatever we are currently doing for you, and don’t worry, we are compiling this in our personal time!

What is threat intelligence

Threat intelligence is evidence-based knowledge that provides context, indicators, and action-oriented advice on both existing and emerging threats to your systems.

The point of the intelligence is to help businesses make more informed decisions about their roadmap and future plans.

Threat Intelligence Issue 3

toby@tosbourn.com — Tue, 21 Oct 2025 00:00:00 +0000

This is our third threat intelligence post. Each week, if appropriate, we will aim to share some wider industry news that might impact our clients. We didn’t have one last week because there was nothing of major importance.

This issue will be covering; Ruby, and some wider points.

Ruby

Last week, a PR into Rails main means that the CVE information in the stock bin/bundler-audit will be kept up to date, meaning it is more useful, and avoids false positives.

Matz has written about the transition of RubyGems stewardship from Ruby Central to the Ruby core team. This will hopefully stabilise some of the discontent in the Ruby community.

Wider / Misc notes

AWS had a major outage, impacting large portions of the internet. The most interesting thing about the outage was the services it impacted that probably shouldn’t have been sending data across to America in the first place. Smaller businesses operating in the UK should probably be using UK or European data centres.

One of the reasons so many places were impacted was the region that was down, US-EAST-1, is the default region when setting up AWS services.

Actions to consider;

Are you using the appropriate regions for your service
Do you have appropriate failovers in place to spread workload around regions

Just over a week ago the National Cyber Security Center published an article UK experiencing four ‘nationally significant’ cyber attacks every week. There is no immediate action needed but does highlight the scale of the issue with operating online.

Developers should audit and take care adding plugins to their code editors, there is a self-spreading malware called GlassWorm doing the rounds.

Rapid7’s Patch Tuesday for October contains a list of things worth patching.

About this post

Knowing some of the wider issues within your application’s ecosystem can help you plan for the future and act appropriately.

One of the roles we perform for some of our clients is being that trusted source of knowing some of the wider ecosystem challenges.

For years we have been doing this in various ways. Formal quarterly briefings, ad hoc “heads-up” emails, or silently adjusting the roadmap to accommodate wider context changes.

If you’ve found this post useful, but don’t have availability on your team to consider it more, please do get in touch as we might be able to help.

Some disclaimers

This is for general information, and just because we share something doesn’t mean we agree or disagree with it, it just means it is a thing to be aware of.

This post doesn’t claim to be a summary of absolutely everything that has happened, we are human and we will miss things, or forget to write about things we’ve seen.

To our clients

We will never share here something specific to one client, and this doesn’t replace whatever we are currently doing for you, and don’t worry, we are compiling this in our personal time!

What is threat intelligence

Threat intelligence is evidence-based knowledge that provides context, indicators, and action-oriented advice on both existing and emerging threats to your systems.

The point of the intelligence is to help businesses make more informed decisions about their roadmap and future plans.

Threat Intelligence Issue 2

toby@tosbourn.com — Wed, 08 Oct 2025 00:00:00 +0000

This is our second threat intelligence post. Each week, if appropriate, we will aim to share some wider industry news that might impact our clients.

What we cover will depend on what has been happening the previous week, this week, for example, is a much shorter update.

Ruby

Some of the folk that previously maintained and operated RubyGems.org have started a new server for hosting gems https://gem.coop.

No action needed unless your team feels they want to migrate away from RubyGems (which is understandable).

Github

Github recently rolled out sign in with Apple. Unless your organisation specifically requires this, I would recommend against employees tying log in to Apple IDs.

They are also deprecating some @dependabot commands, if your team uses Dependabot in workflows or manually, check in that they aren’t relying on the deprecated commands.

Wider / Misc notes

The US Government has shut down. My understanding from talking with some folk over there is larger companies are likely unaffected, smaller companies may be a little bit more cautious with their spending.

There is certainly a greater scope for scams during periods of political and governmental turbulance.

Docker are sharing access to Hardened Images which are images with near-zero CVEs attached to them.

This final article, about a Mic-E-Mouse attack was too interesting not to share. Hackers were able to “listen in” based on mouse sensors. Very fun!

About this post

Knowing some of the wider issues within your application’s ecosystem can help you plan for the future and act appropriately.

One of the roles we perform for some of our clients is being that trusted source of knowing some of the wider ecosystem challenges.

For years we have been doing this in various ways. Formal quarterly briefings, ad hoc “heads-up” emails, or silently adjusting the roadmap to accommodate wider context changes.

If you’ve found this post useful, but don’t have availability on your team to consider it more, please do get in touch as we might be able to help.

Some disclaimers

This is for general information, and just because we share something doesn’t mean we agree or disagree with it, it just means it is a thing to be aware of.

This post doesn’t claim to be a summary of absolutely everything that has happened, we are human and we will miss things, or forget to write about things we’ve seen.

To our clients

We will never share here something specific to one client, and this doesn’t replace whatever we are currently doing for you, and don’t worry, we are compiling this in our personal time!

What is threat intelligence

Threat intelligence is evidence-based knowledge that provides context, indicators, and action-oriented advice on both existing and emerging threats to your systems.

The point of the intelligence is to help businesses make more informed decisions about their roadmap and future plans.

Threat Intelligence Issue 1

toby@tosbourn.com — Tue, 30 Sep 2025 00:00:00 +0000

This is our first threat intelligence post. Each week, if appropriate, we will aim to share some wider industry news that might impact our clients.

We will be covering; Ruby, JavaScript, Postgres, Heroku, Render, Cloudflare, and Github, as well as wider geo-political points.

Ruby

The Ruby community has never looked more uneasy. No issues that require immediate attention, but worth knowing there is a lot of energy being spent on several topics, and there are a lot of folk disenfrancised with the language.

DHH has went, pardon the pun, off the Rails. The Ruby Community has a DHH Problem explains the core issues with DHH (creator of Rails) making xenophobic claims about London. This has lead to an open letter to remove DHH from Rails via a hard fork.

Ruby, Bundler, and RubyGems are separate entities in the Ruby eco-system, and some recent changes covered well by The Register have opened up some wounds in the community. I would suggesting reading the above article and also Justin Searls’ opinions.

JavaScript

Speaking of people going off the Rails, the CEO of Vercel has been sharing pictures of him and Israeli Prime Minister Benjamin Netanyahu. Droplet Drift covered the issues well.

We would recommend anyone using Vercel consider if their CEO’s actions aligns with their values.

Postgres

Postgres 18 has been released, with some great new features, if those features would benefit your product, it might be worth starting to consider what an upgrade path would look like.

Heroku

Nothing too major to worry about with Heroku this week.

Standard and Performance Tier apps will be using Router 2.0, this is part of Heroku’s efforts to move away from their old routing.

Rails apps now have a Puma-related timeout set by default. If you use Puma and run on Heroku, you should check the 95 seconds is a fair value for your application.

Render

If you care about Render’s IP addresses, you should know they’re adding some new ones, but this will mainly be for if you’re allow-listing based on IP.

Cloudflare

Cloudflare has been going heavy on AI, and recently announced their own cryptocurrency to help with AI driven transactions. This feels like a departure from their core value, worth keeping an eye on.

Something else to keep an eye on is that over the next year Cloudflare will open all features to everyone, I suggest keeping an eye on what you can start to get “for free” if you’re already using Cloudflare.

Github

Github are improving their token management, this is in response to recent NPM supply chain attacks. If you heavily rely on Github tokens, make sure you’re following best practice here.

Wider / Misc notes

People are using SVGs to do email phishing. Hack Read has a good writeup. If you haven’t ran a phishing test in your organisation recently, now might be a good time to update some training.

People are also using Chrome extensions to try and backdoor their way into systems. It might be time to have a review of what extensions you team is allowed in install and are there any that make sense to remove.

About this post

Knowing some of the wider issues within your application’s ecosystem can help you plan for the future and act appropriately.

One of the roles we perform for some of our clients is being that trusted source of knowing some of the wider ecosystem challenges.

For years we have been doing this in various ways. Formal quarterly briefings, ad hoc “heads-up” emails, or silently adjusting the roadmap to accommodate wider context changes.

If you’ve found this post useful, but don’t have availability on your team to consider it more, please do get in touch as we might be able to help.

Some disclaimers

This is for general information, and just because we share something doesn’t mean we agree or disagree with it, it just means it is a thing to be aware of.

This post doesn’t claim to be a summary of absolutely everything that has happened, we are human and we will miss things, or forget to write about things we’ve seen.

To our clients

We will never share here something specific to one client, and this doesn’t replace whatever we are currently doing for you, and don’t worry, we are compiling this in our personal time!

What is threat intelligence

Threat intelligence is evidence-based knowledge that provides context, indicators, and action-oriented advice on both existing and emerging threats to your systems.

The point of the intelligence is to help businesses make more informed decisions about their roadmap and future plans.