Skip to content
Oblique Docs

Security bulletins

Security bulletins and advisories from Oblique. These include security issues with Oblique itself, as well as external incidents that could potentially impact Oblique.

May 11, 2026

Section titled “May 11, 2026”

Mini Shai-Hulud

Section titled “Mini Shai-Hulud”
External
A self-spreading supply chain worm compromised dozens of npm packages, including widely used <code>@tanstack/*</code> router and start packages. Oblique's production builds and CI/CD pipelines were not affected.

What happened?

On May 11, 2026, multiple security vendors reported that an attacker republished compromised versions of more than 50 npm packages, including much of the @tanstack/* router and start family, @uipath/*, and several smaller scopes. The malicious versions smuggled a prepare script via an optionalDependencies entry pointing at an attacker-controlled GitHub commit. On install, the payload exfiltrated GitHub, npm, and cloud credentials over HTTPS, then attempted to publish further compromised versions from any maintainer tokens it found - the "self-spreading" behaviour that mirrored prior Shai-Hulud campaigns.

Oblique depends on several @tanstack/* packages but was pinned below the compromised 1.169.x package version. Our NPM package manager, pnpm, is configured with a 72-hour minimumReleaseAge cooldown, which prevented any version uptake during the window in which the bad releases were live on the registry. As defence in depth, we also rely on pnpm 10's default-deny on dependency lifecycle scripts and our explicit onlyBuiltDependencies allowlist mean that the malicious prepare script could not have executed in our CI runners or developer machines even if a bad version had been resolved.

What was the impact?

We have verified that none of the compromised package versions were ever resolved or installed in our production builds, CI/CD pipelines, or developer environments. No Oblique credentials or source were exposed.

Who was affected?

Neither Oblique nor any Oblique customers are affected.

What do I need to do?

No action is required from Oblique customers.

External references

November 24, 2025

Section titled “November 24, 2025”

Sha1-Hulud: The Second Coming

Section titled “Sha1-Hulud: The Second Coming”
External
Many widely used npm packages here recently impacted by a supply chain attack. Although Oblique depends on an affected package provided by PostHog, malicious versions were never incorporated into our production builds or CI/CD.

What happened?

Multiple security vendors reported on November 24th, 2025 that a group behind a previous supply chain attack were able to again inject malicious code into prominent npm packages. This included JavaScript SDKs for PostHog, a product analytics platform. Though Oblique depends on the posthog-js package, it was pinned at version 1.297.3, and so unaffected.
More broadly, Oblique has taken this opportunity to introduce cooldown periods in both pnpm and Dependabot for internal dependency uptake.

What was the impact?

We have verified that our systems never imported the impacted versions, even in our development CI/CD systems.

Who was affected?

Neither Oblique nor any Oblique customers are affected.

What do I need to do?

No action is required from Oblique customers.

September 16, 2025

Section titled “September 16, 2025”

@ctrl/tinycolor

Section titled “@ctrl/tinycolor”
External
The widely used NPM package '@ctrl/tinycolor' was recently backdoored with malicious code. Although Oblique depends on this package, affected versions were never incorporated into our production builds or CI/CD.

What happened?

Several security vendors reported on September 15, 2025 that versions 4.1.1 and 4.1.2 of the package '@ctrl/tinycolor' were updated with malicious code. These malicious packages scan build and deployment environments for credentials, then publish secrets and private code repos publicly. Over 40+ other packages incorporated these versions. While Oblique depends on this package through Astro, it is pinned at version 4.1.0, and so unaffected.

What was the impact?

We have verified that our systems never imported the impacted versions, even in our development CI/CD systems.

Who was affected?

Neither Oblique nor any Oblique customers are affected.

What do I need to do?

No action is required from Oblique customers.

September 2, 2025

Section titled “September 2, 2025”

Salesloft

Section titled “Salesloft”
External
Cloudflare support tickets, including Oblique's support tickets with Cloudflare, were breached. Although Oblique is affected, there is no impact. None of Oblique's Cloudflare support tickets include customer data or credentials.

What happened?

Oblique uses Cloudflare for some builds and web hosting, and we have previously communicated with Cloudflare support. A security breach of Salesloft Drift resulted in unauthorized access to Cloudflare support tickets. The breach allowed access to the text content of support communications. Oblique received a notification from Cloudflare on 2025-09-02 that Oblique’s data may have been exposed in the Salesloft incident.

What was the impact?

We have conducted a thorough review of all support communications and confirmed:

  • None of Oblique's API keys, access tokens, or other credentials were shared in support tickets
  • No Oblique customer data was disclosed in support communications

Who was affected?

Neither Oblique nor any Oblique customers are affected.

What do I need to do?

No action is required from Oblique customers.