MAL-2025-191470

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/maven/org.mvnpm:posthog-node/MAL-2025-191470.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191470

Published

2025-11-26T04:39:24Z

Modified

2025-11-26T05:24:57.436229Z

Summary

Malicious code in org.mvnpm:posthog-node (Maven)

Details

-= Per source details. Do not edit below this line.=-

Source: google-open-source-security (ea90a5928d7667bed4fa9f6effbbe6c8d3ad6521ca51ca2b01551bc02373a7d2)

This package was compromised by the Sha1-Hulud: The Second Coming NPM worm. The malicious payload steals tokens and credentials and publishes them to GitHub. The worm will propogate itself to NPM packages the user owns and establish persistence is a GitHub action. The package may also destroy the user's home directory.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-11-26T04:39:24Z",
            "sha256": "ea90a5928d7667bed4fa9f6effbbe6c8d3ad6521ca51ca2b01551bc02373a7d2",
            "source": "google-open-source-security",
            "versions": [
                "4.18.1"
            ],
            "import_time": "2025-11-26T04:40:18.31025Z"
        }
    ]
}

References

Affected packages

Maven / org.mvnpm:posthog-node

Package

Name: org.mvnpm:posthog-node; View open source insights on deps.dev
Purl: pkg:maven/org.mvnpm/posthog-node

Affected ranges

Affected versions

4.*

4.18.1