Malicious code in org.mvnpm:posthog-node (Maven)

MAL-2025-191470

Published Nov 26, 2025 · Modified Nov 26, 2025

Description

Source: google-open-source-security (ea90a5928d7667bed4fa9f6effbbe6c8d3ad6521ca51ca2b01551bc02373a7d2)

This package was compromised by the Sha1-Hulud: The Second Coming NPM worm.
The malicious payload steals tokens and credentials and publishes them to
GitHub. The worm will propogate itself to NPM packages the user owns and
establish persistence is a GitHub action.
The package may also destroy the user's home directory.

References

WEB https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
WEB https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
WEB https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes