VYPR
← All malware advisories

npm · Malicious package advisory

Malware

posthog-js

MAL-2025-191402

Malicious code in posthog-js (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2b422f278bf27e062b349e97360b6919e773122f21656f23d6da583ce7cb1a92)
The package posthog-js was found to contain malicious code.

## Source: google-open-source-security (1199070f9140b97dfe8c2ecdfe5a68de5c3df986e7d82041c96f07ebc557f365)
This package was compromised by the Sha1-Hulud: The Second Coming NPM worm.
The malicious payload steals tokens and credentials and publishes them to
GitHub. The worm will propogate itself to NPM packages the user owns and
establish persistence is a GitHub action.
The package may also destroy the user's home directory.

Compromised versions (1)

  • 1.297.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.