frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM

https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
119•birdculture•1h ago

Comments

benzible•47m ago
Dup https://news.ycombinator.com/item?id=46032539
swsieber•41m ago
This article has quite a bit more information though.
thih9•40m ago
Not a dup, this is a different article about the same event, with different information too.
a4isms•35m ago
Please use the word "Dup" for a resubmission of the same link and "See also" for a different submission.
neogodless•25m ago
See also: https://news.ycombinator.com/item?id=46032539 Shai-Hulud Returns: Over 300 NPM Packages Infected (helixguard.ai)

~6 hours ago | 430 comments

nathan_compton•43m ago
I never, ever, do development outside of a podman container these days. Basically if I am going to run some code from somewhere and I haven't read it, it goes in a container.

I know its not foolproof, but I can't believe how often people run code they haven't read where it can make a huge mess, steal secrets, etc. I'll probably get owned someday, I'm sure, but this feels like a bare minimum.

rco8786•33m ago
How are you doing this in practice? These are npm packages. I don't see how could reasonably pull in Posthog's SDK in a container.
christophilus•32m ago
What do you mean? You can drop into bash in a container and run any arbitrary command, so `npm install foo` works just fine. Why would posthog's SDK be a special case?
LeifCarrotson•13m ago
I think the issue is more about what else has to go into or be connected to that container. Posthog isn't really useful if it's air-gapped. You're going to give it keys to access all kinds of juicy databases and analytics, and those NPM tokens, AWS/GCP/Azure credentials, and environment variables are exactly what it exfiltrates.

I don't run much on the root OS of my dev machine, basically everything is in a container or VM of some kind, but that's more so that I can reproduce my environment by copying a VMDK than in an effort to limit what the container can do to itself and data it has access to. Yeah, even with root access to a VM guest, an attacker they won't get my password manager, personal credit card, socials, etc. that I only use from the host OS... But they'll get everything that the container contains or has access to, which is often a lot of data!

Lutger•3m ago
You're severely limiting the blast radius. This malware works by exfiltrating secrets during installation, if I understood it correctly. If you would properly containerize your app and limit permissions to what is absolutely required, you could be compromised and still suffer little to no consequences.

Of course, this is not a real defense on its own, its just good practice to limit blast radius, much like not giving everybody admin rights.

myaccountonhn•24m ago
I ssh into a second local user and do development there instead with tmux.
n4r9•5m ago
I send mail to a demon which runs MsBuild and mails the output back to me.
netdevphoenix•24m ago
> if I am going to run some code from somewhere and I haven't read it, it goes in a container

How does this work? Every single npm package has tons of dependency tree nodes

Lutger•9m ago
Everything runs in the container and cannot escape it. Its like a sandbox.

You have to make sure you're not putting any secrets in the container environment.

moffkalast•4m ago
All right then, keep your secrets.
swsieber•9m ago
I didn't read this as separate containers.
echelon•1m ago
Another effective strategy I learned of recently that seems like it would have avoided this is to wait months before using new versions of packages.

Most attacks on popular packages last at most a few months before detection.

QuantumNomad_•40m ago
Typo in title. Current title of HN post says:

> SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM

Should be Shai-Hulud, not SHA1-Hulud.

adzm•32m ago
That said, the secrets are uploaded to a repo named `Sha1-Hulud: The Second Coming`
zahlman•31m ago
Ah, I missed that detail.
zahlman•31m ago
I don't know why you were downvoted. The actual page does not say SHA1, the attack as far as I know is not related to the SHA1 algorithm, and the name of the worm isn't intended as that sort of pun.
pezezin•12m ago
The worm itself is posting the secrets in Github with the name Sha1-hulud: https://github.com/search?q=sha1-hulud&type=repositories
ChrisArchitect•22m ago
[dupe] Discussion: https://news.ycombinator.com/item?id=46032539
xnorswap•15m ago
Perhaps it's time to organize a curated "stable" stream for npm packages.

If I want more stability for my OS I can choose Debian-stable rather than Ubuntu-nightly.

But for npm, there doesn't seem to be the same choice available. Either I sign up to the fire-hose or I don't.

I can choose to only upgrade once a month, but there's a chance I'm still getting a package that dropped 5 minutes before.

smallerfish•13m ago
Because PostHog's "Talk to a human" chat instead gets a grumpy gatekeeping robot (which also doesn't know how to get you to a working urgent support link), and there's nothing prominently on their home page or github about this:

Hey PostHog! What version do we need to avoid?

raunakchowdhuri•8m ago
Have a slack channel with them, these are the versions they mentioned: posthog-node 4.18.1 posthog-js 1.297.3 posthog-react-native 4.11.1 posthog-docusaurus 2.0.6
timgl•8m ago
co-founder here. We mentioned it in the main thread about this: https://news.ycombinator.com/item?id=46032650 and on status.posthog.com

- posthog-node 4.18.1, 5.13.3 and 5.11.3

- posthog-js 1.297.3

- posthog-react-native 4.11.1

- posthog-docusaurus 2.0.6

If you make sure you're on the latest version you should be good.

smallerfish•5m ago
Thanks. Also - maybe change "talk to a human" to "talk to a grumpy robot" :)
jamietanna•12m ago
See also: https://news.ycombinator.com/item?id=46005111

As it arguably would have reduced impact

(I'm one of the Renovate maintainers and have recently pushed for this to be more of a widely used feature)

SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM

https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
121•birdculture•1h ago•29 comments

France threatens GrapheneOS with arrests / server seizure for refusing backdoors

https://grapheneos.social/@watchfulcitizen@goingdark.social/115605398547420414
72•nabakin•29m ago•11 comments

NSA and IETF, part 3: Dodging the issues at hand

https://blog.cr.yp.to/20251123-dodging.html
219•upofadown•5h ago•81 comments

Inside Rust's std and parking_lot mutexes – who wins?

https://blog.cuongle.dev/p/inside-rusts-std-and-parking-lot-mutexes-who-win
40•signa11•4d ago•3 comments

Chrome Jpegxl Issue Reopened

https://issues.chromium.org/issues/40168998
104•markdog12•4h ago•25 comments

Corvus Robotics (YC S18): Hiring Head of Mfg/Ops, Next Door to YC Mountain View

1•robot_jackie•9m ago

Show HN: Cynthia – Reliably play MIDI music files – MIT / Portable / Windows

https://www.blaizenterprises.com/cynthia.html
57•blaiz2025•3h ago•17 comments

Serflings is a remake of The Settlers 1

https://www.simpleguide.net/serflings.xhtml
78•doener•2d ago•21 comments

Shai-Hulud Returns: Over 300 NPM Packages Infected

https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
559•mrdosija•6h ago•438 comments

Fast Lua runtime written in Rust

https://astra.arkforge.net/
67•akagusu•3h ago•35 comments

We stopped roadmap work for a week and fixed bugs

https://lalitm.com/fixits-are-good-for-the-soul/
161•lalitmaganti•1d ago•249 comments

Britain is one of the richest countries. So why do children live in poverty?

https://www.cnn.com/2025/11/24/uk/britain-child-poverty-intl-scli
18•rawgabbit•16m ago•4 comments

Slicing Is All You Need: Towards a Universal One-Sided Distributed MatMul

https://arxiv.org/abs/2510.08874
68•matt_d•5d ago•5 comments

RuBee

https://computer.rip/2025-11-22-RuBee.html
301•Sniffnoy•14h ago•52 comments

Disney Lost Roger Rabbit

https://pluralistic.net/2025/11/18/im-not-bad/
375•leephillips•6d ago•175 comments

Japan's gamble to turn island of Hokkaido into global chip hub

https://www.bbc.com/news/articles/c8676qpxgnqo
219•1659447091•14h ago•362 comments

Historically Accurate Airport Dioramas by AV Pro Designs

https://www.core77.com/posts/138995/Historically-Accurate-Airport-Dioramas-by-AV-Pro-Designs
5•surprisetalk•3d ago•0 comments

µcad: New open source programming language that can generate 2D sketches and 3D

https://microcad.xyz/
339•todsacerdoti•20h ago•110 comments

Ask HN: Hearing aid wearers, what's hot?

290•pugworthy•14h ago•153 comments

Lambda Calculus – Animated Beta Reduction of Lambda Diagrams

https://cruzgodar.com/applets/lambda-calculus
119•perryprog•11h ago•8 comments

The Rust Performance Book (2020)

https://nnethercote.github.io/perf-book/
179•vinhnx•5d ago•25 comments

I built an faster Notion in Rust

https://imedadel.com/outcrop/
108•PaulHoule•4d ago•60 comments

Show HN: Virtual SLURM HPC cluster in a Docker Compose

https://github.com/exactlab/vhpc
26•ciclotrone•4d ago•5 comments

New magnetic component discovered in the Faraday effect

https://phys.org/news/2025-11-magnetic-component-faraday-effect-centuries.html
185•rbanffy•4d ago•67 comments

Building the largest known Kubernetes cluster, with 130k nodes

https://cloud.google.com/blog/products/containers-kubernetes/how-we-built-a-130000-node-gke-cluster/
67•TangerineDream•2d ago•52 comments

Show HN: Stun LLMs with thousands of invisible Unicode characters

https://gibberifier.com
165•wdpatti•14h ago•74 comments

Fran Sans – font inspired by San Francisco light rail displays

https://emilysneddon.com/fran-sans-essay
1055•ChrisArchitect•22h ago•130 comments

Ego, empathy, and humility at work

https://matthogg.fyi/a-unified-theory-of-ego-empathy-and-humility-at-work/
123•mrmatthogg•15h ago•40 comments

Set theory with types

https://lawrencecpaulson.github.io//2025/11/21/Typed_Set_Theory.html
94•baruchel•2d ago•15 comments

The Cloudflare outage might be a good thing

https://gist.github.com/jbreckmckye/32587f2907e473dd06d68b0362fb0048
215•radeeyate•14h ago•151 comments