VYPR
← All malware advisories

maven · Malicious package advisory

Malware

org.mvnpm:posthog-node

MAL-2025-191470

Malicious code in org.mvnpm:posthog-node (Maven)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: google-open-source-security (ea90a5928d7667bed4fa9f6effbbe6c8d3ad6521ca51ca2b01551bc02373a7d2)
This package was compromised by the Sha1-Hulud: The Second Coming NPM worm.
The malicious payload steals tokens and credentials and publishes them to
GitHub. The worm will propogate itself to NPM packages the user owns and
establish persistence is a GitHub action.
The package may also destroy the user's home directory.

Compromised versions (1)

  • 4.18.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.