Malware in PostHog NPM packages

6•roskoalexey•1h ago

I know many of us use a really excellent PostHog service, but it seems their latest version of `posthog-js` NPM package contains malware.

Reported to their security channel, also reported to NPM, but also wanted to raise awareness here.

Update: It seems all their NPM packages have the same problem

Update 2: https://status.posthog.com/

Comments

roskoalexey•1h ago

Details:

In `package.json`, it has a script `"preinstall": "node setup_bun.js"` + files `setup_bun.js` and `bun_environment.js` which are apparently is the malware.

roskoalexey•1h ago

Also:

It seems many of their other NPM packages also have the same problem. https://www.npmjs.com/~timgl (all published 5 hours ago)

rvz•1h ago

This feels like an impending disaster about to be unraveled in the Posthog npm packages.

Looking forward to the post-mortem.

roskoalexey•28m ago

Some more details:

1. Malware uses a "preinstall" NPM script, which is triggered upon you running `npm install`.

2. Malware installs `bun`.

3. Then it installs and starts `trufflehog` (a tool for scanning code for secrets, API keys, passwords, etc.).

sakce•20m ago

Thank you for flagging this - we are actively working on it and will be back with an update!

kothariji•59s ago

here is the report - https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

Ask HN: Hearing aid wearers, what's hot?

Ask HN: Good resources to learn financial systems engineering?

Don't obsess with security and privacy unless they are your core business

Malware in PostHog NPM packages

Ask HN: What tools do you pay for today that feel overpriced or frustrating?

Why isn't There a open-source (project) game?

Tell HN: Wanted to Give Dang Appreciation

Ask HN: Looking for a donated PC or laptop for freelance work

ZetaShare Building private file transfer with WebRTC

Ask HN: Is America in Recession?

Ask HN: Advice for feeling like a failure in PhD?

Ask HN: How do you balance creativity, love for the craft, and money?

Boring Laser Eyes Simulator: Add laser beams to your eyes with your webcam

Ask HN: Working in a language that isn't your native one. How hard was it?

Ask HN: Where could I find early adopters?

Ask HN: Where can you find old NetBSD packages?

Ask HN: First Steps with a Patent Troll?

Ask HN: Is it time to measure Inflation and CPI without the government?

Facebook has made it impossible to delete Pages – dark patterns everywhere

Ask HN: Current state of Android USB tethering?

Warp Terminal Doing a Pricing Shock for Canadian Users – 10× Increase on Credits

Ask HN: What is the current state of the art in BIG (>5TB) cloud backups?

Fun weekend task – Calculate your crypto relief or regret

Ask HN: Are you still working with a website that requires Internet Explorer?

Ask HN: How would you architect a RAG system for 10M+ documents today?

Amex Architecture

Ask HN: Can you share what you built using Cursor/Agentic IDEs?

Tell HN: Cursor exposes side projects to your employer

Ask HN: Struggling founders, pls share your startup struggle

Malware in PostHog NPM packages

Comments

Ask HN: Hearing aid wearers, what's hot?

Ask HN: Good resources to learn financial systems engineering?

Don't obsess with security and privacy unless they are your core business

Malware in PostHog NPM packages

Ask HN: What tools do you pay for today that feel overpriced or frustrating?

Why isn't There a open-source (project) game?

Tell HN: Wanted to Give Dang Appreciation

Ask HN: Looking for a donated PC or laptop for freelance work

ZetaShare Building private file transfer with WebRTC

Ask HN: Is America in Recession?

Ask HN: Advice for feeling like a failure in PhD?

Ask HN: How do you balance creativity, love for the craft, and money?

Boring Laser Eyes Simulator: Add laser beams to your eyes with your webcam

Ask HN: Working in a language that isn't your native one. How hard was it?

Ask HN: Where could I find early adopters?

Ask HN: Where can you find old NetBSD packages?

Ask HN: First Steps with a Patent Troll?

Ask HN: Is it time to measure Inflation and CPI without the government?

Facebook has made it impossible to delete Pages – dark patterns everywhere

Ask HN: Current state of Android USB tethering?

Warp Terminal Doing a Pricing Shock for Canadian Users – 10× Increase on Credits

Ask HN: What is the current state of the art in BIG (>5TB) cloud backups?

Fun weekend task – Calculate your crypto relief or regret

Ask HN: Are you still working with a website that requires Internet Explorer?

Ask HN: How would you architect a RAG system for 10M+ documents today?

Amex Architecture

Ask HN: Can you share what you built using Cursor/Agentic IDEs?

Tell HN: Cursor exposes side projects to your employer

Ask HN: Struggling founders, pls share your startup struggle