Malware in PostHog NPM packages

11 pointsroskoalexey4mo ago9 comments

I know many of us use a really excellent PostHog service, but it seems their latest version of `posthog-js` NPM package contains malware.

Reported to their security channel, also reported to NPM, but also wanted to raise awareness here.

Update: It seems all their NPM packages have the same problem

Update 2: https://status.posthog.com/

9 comments

timgl4mo ago

co-founder of PostHog here. It looks like we were also a victim of this attack: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

We've rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you're on the latest version of our SDKs.

We're still figuring out how this key got compromised, and we'll follow up with a post-mortem. We'll update status.posthog.com with more updates as well.

1 more reply

sakce4mo ago

Thank you for flagging this - we are actively working on it and will be back with an update!

roskoalexeyOP4mo ago

Some more details:

1. Malware uses a "preinstall" NPM script, which is triggered upon you running `npm install`.

2. Malware installs `bun`.

3. Then it installs and starts `trufflehog` (a tool for scanning code for secrets, API keys, passwords, etc.).

nextaccountic3mo ago

One more reason to run pnpm. Or better yet, deno

nycalexander4mo ago

Made a package (that I needed personally), to easily reinstall all dependencies in a project using Aikido's safe guard for npm, pnpm, bun, and yarn. https://www.npmjs.com/package/eazypm

rvz4mo ago

This feels like an impending disaster about to be unraveled in lots of npm packages.

Looking forward to the post-mortem.

kothariji4mo ago

here is the report - https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

roskoalexeyOP4mo ago

Also:

It seems many of their other NPM packages also have the same problem. https://www.npmjs.com/~timgl (all published 5 hours ago)

roskoalexeyOP4mo ago

Details:

In `package.json`, it has a script `"preinstall": "node setup_bun.js"` + files `setup_bun.js` and `bun_environment.js` which are apparently is the malware.

j / k navigate · click thread line to collapse

Malware in PostHog NPM packages

11 pointsroskoalexey4mo ago9 comments

I know many of us use a really excellent PostHog service, but it seems their latest version of `posthog-js` NPM package contains malware.

Reported to their security channel, also reported to NPM, but also wanted to raise awareness here.

Update: It seems all their NPM packages have the same problem

Update 2: https://status.posthog.com/

9 comments

timgl4mo ago

co-founder of PostHog here. It looks like we were also a victim of this attack: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

We've rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you're on the latest version of our SDKs.

We're still figuring out how this key got compromised, and we'll follow up with a post-mortem. We'll update status.posthog.com with more updates as well.

1 more reply

sakce4mo ago

Thank you for flagging this - we are actively working on it and will be back with an update!

roskoalexeyOP4mo ago

Some more details:

1. Malware uses a "preinstall" NPM script, which is triggered upon you running `npm install`.

2. Malware installs `bun`.

3. Then it installs and starts `trufflehog` (a tool for scanning code for secrets, API keys, passwords, etc.).

nextaccountic3mo ago

One more reason to run pnpm. Or better yet, deno

nycalexander4mo ago

Made a package (that I needed personally), to easily reinstall all dependencies in a project using Aikido's safe guard for npm, pnpm, bun, and yarn. https://www.npmjs.com/package/eazypm

rvz4mo ago

This feels like an impending disaster about to be unraveled in lots of npm packages.

Looking forward to the post-mortem.

kothariji4mo ago

here is the report - https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

roskoalexeyOP4mo ago

Also:

It seems many of their other NPM packages also have the same problem. https://www.npmjs.com/~timgl (all published 5 hours ago)

roskoalexeyOP4mo ago

Details:

In `package.json`, it has a script `"preinstall": "node setup_bun.js"` + files `setup_bun.js` and `bun_environment.js` which are apparently is the malware.

j / k navigate · click thread line to collapse