Security bulletins

Security bulletins and advisories from Oblique. These include security issues with Oblique itself, as well as external incidents that could potentially impact Oblique.

Tip

Keep up to date with our security bulletins via our RSS feed.

November 24, 2025

Sha1-Hulud: The Second Coming

External

Many widely used npm packages here recently impacted by a supply chain attack. Although Oblique depends on an affected package provided by PostHog, malicious versions were never incorporated into our production builds or CI/CD.

What happened?

Multiple security vendors reported on November 24th, 2025 that a group behind a previous supply chain attack were able to again inject malicious code into prominent npm packages. This included JavaScript SDKs for PostHog, a product analytics platform. Though Oblique depends on the posthog-js package, it was pinned at version 1.297.3, and so unaffected.
More broadly, Oblique has taken this opportunity to introduce cooldown periods in both pnpm and Dependabot for internal dependency uptake.

What was the impact?

We have verified that our systems never imported the impacted versions, even in our development CI/CD systems.

Who was affected?

Neither Oblique nor any Oblique customers are affected.

What do I need to do?

No action is required from Oblique customers.

External references

• PostHog incident
• HelixGuard blog post
• Aikido blog post

September 16, 2025

@ctrl/tinycolor

External

The widely used NPM package '@ctrl/tinycolor' was recently backdoored with malicious code. Although Oblique depends on this package, affected versions were never incorporated into our production builds or CI/CD.

What happened?

Several security vendors reported on September 15, 2025 that versions 4.1.1 and 4.1.2 of the package '@ctrl/tinycolor' were updated with malicious code. These malicious packages scan build and deployment environments for credentials, then publish secrets and private code repos publicly. Over 40+ other packages incorporated these versions. While Oblique depends on this package through Astro, it is pinned at version 4.1.0, and so unaffected.

What was the impact?

We have verified that our systems never imported the impacted versions, even in our development CI/CD systems.

Who was affected?

Neither Oblique nor any Oblique customers are affected.

What do I need to do?

No action is required from Oblique customers.

External references

• Socket blog post
• StepSecurity blog post
• Aikido blog post

September 2, 2025

Salesloft

External

Cloudflare support tickets, including Oblique's support tickets with Cloudflare, were breached. Although Oblique is affected, there is no impact. None of Oblique's Cloudflare support tickets include customer data or credentials.

What happened?

Oblique uses Cloudflare for some builds and web hosting, and we have previously communicated with Cloudflare support. A security breach of Salesloft Drift resulted in unauthorized access to Cloudflare support tickets. The breach allowed access to the text content of support communications. Oblique received a notification from Cloudflare on 2025-09-02 that Oblique’s data may have been exposed in the Salesloft incident.

What was the impact?

We have conducted a thorough review of all support communications and confirmed:

• None of Oblique's API keys, access tokens, or other credentials were shared in support tickets
• No Oblique customer data was disclosed in support communications

Who was affected?

Neither Oblique nor any Oblique customers are affected.

What do I need to do?

No action is required from Oblique customers.

External references

• Cloudflare blog post
• Salesloft security update