- posthog-node 4.18.1, 5.13.3 and 5.11.3
- posthog-js 1.297.3
- posthog-react-native 4.11.1
- posthog-docusaurus 2.0.6
We've rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you're on the latest version of our SDKs.
We're still figuring out how this key got compromised, and we'll follow up with a post-mortem. We'll update status.posthog.com with more updates as well.
NPM supports GitHub workflow OIDC and you can make that required, disabling all token access.
Currently reverse engineering the malicious payload and will share our findings within the next few hours.
AsyncAPI is used as the example in the post. It says the Github repo was not affected, but NPM was.
What I don't understand from the article is how this happened. Were the credentials for each project leaked? Given the wide range of packages, was it a hack on npm? Or...?
Previous discussions: https://news.ycombinator.com/item?id=45260741
This is why it's so important to get to know what you're actually building instead of just "vibing" all the time. Before all the AI slop of this decade we just called it being responsible.
Pnpm also blocks preinstall scripts by default.
Really looking forward to a deeper post-mortem on this.
I'd argue automated dependency updates pose a greater risk than one-day exploits, though I don't have data to back that up. That's harder to undo a compromised package already in thousands of lock files, than to manually patch a already exploited vulnerability in your dependencies.
[0] https://blog.yossarian.net/2025/11/21/We-should-all-be-using...
com.foo.bar
That would require domain verification, but it would add significant developer friction.
Also mandatory Dune reference:
"Bless the maker and his water"
vintagedave•26m ago
A short time ago, I started a frontend in Astro for a SaaS startup I'm building with a friend. Astro is beautiful. But it's build on Node. And every time I update the versions of my dependencies I feel terrified I am bringing something into my server I don't know about.
I just keep reading more and more stories about dangerous npm packages, and get this sense that npm has absolutely no safety at all.
sublinear•23m ago
I'm getting tired of the anti-Node.js narrative that keeps going around as if other package repos aren't the same or worse.
pxc•20m ago
DJBunnies•17m ago
sph•22m ago
This is gonna ruffle some feathers, but it's only a matter of time until it'll happen on the Rust ecosystem which loves to depend on a billion subpackages, and it won't be fault of the language itself.
The more I think about it, the more I believe that C, C++ or Odin's decision not to have a convenient package manager that fosters a cambrian explosion of dependencies to be a very good idea security-wise. Ambivalent about Go: they have a semblance of packaging system, but nothing so reckless like allowing third-party tarballs uploaded in the cloud to effectively run code on the dev's machine.
fouronnes3•17m ago
dotancohen•16m ago
vintagedave•16m ago
My real worry, for myself re the parent comment is, it's just a web frontend. There are a million other ways to develop it. Sober, cold risk assessment is: should we, or should we have, and should anyone else, choose something npm-based for new development?
Ie not a question about potential risk for other technologies, but a question about risk and impact for this specific technology.
progbits•9m ago
Things like cargo-vet help as does enforcing non-token auth, scanning and required cooldown periods.
tjpnz•8m ago
rafaelmn•5m ago
In .NET you can cover a lot of use cases simply using Microsoft libraries and even a lot of OSS not directly a part of Microsoft org maintained by Microsoft employees.
vachina•5m ago
dkdbejwi383•22m ago
There are some things that kind of suck (working with time - will be fixed by the Temporal API eventually), but you can get a lot done without needing lots of dependencies.
Gigachad•20m ago
vintagedave•18m ago
And I am genuinely thinking to myself, is this making using npm a risk?
cluckindan•10m ago
yoavm•4m ago
Ygg2•10m ago
Attack an important package, and you can get into the Node and Electron ecosystem. That's a huge prize.
anonymous908213•19m ago
AIorNot•17m ago
dkdbejwi383•15m ago
jacquesm•8m ago
A bit? A proper input validator is a lot of work.
anonymous908213•6m ago
paradite•10m ago
jacquesm•9m ago
An eco-system, if it insists on slapping on a package manager (see also: Rust, Go) should always properly evaluate the resulting risks and put proper safeguards in place or you're going to end up with a massive supply chain headache.
paradite•19m ago
The ones that most people use and some people complain about, and the ones that nobody uses and people keep advocating for.
sandruso•16m ago
When it comes to frontend, well I don't have answers yet.
zwnow•13m ago
I also switched to Phoenix using Js only when absolutely necessary. Would do the same on Laravel at work if switching to SSR would be feasible...
I do not trust the whole js ecosystem anymore.
jacquesm•7m ago
rvz•12m ago
I think we have given the Typescript / Javascript communities enough time. These sort of problems will continue to happen regardless of the runtime.
Adding one more library increases the risk of a supply-chain attack like this.
As long as you're using npm or any npm-compatible runtime, then it remains to be an unsolved recurring issue in the npm ecosystem.
jacquesm•11m ago
Please, no.
It is an absolutely terrible eco system. The layercake of dependencies is just insane.
cluckindan•5m ago
This is something you also need to do with package managers in other languages, mind you.
weregiraffe•6m ago