Malware in PostHog NPM packages
I know many of us use a really excellent PostHog service, but it seems their latest version of `posthog-js` NPM package contains malware.
Reported to their security channel, also reported to NPM, but also wanted to raise awareness here.
Update: It seems all their NPM packages have the same problem
Update 2: https://status.posthog.com/
10 comments
[ 0.21 ms ] story [ 29.3 ms ] threadIn `package.json`, it has a script `"preinstall": "node setup_bun.js"` + files `setup_bun.js` and `bun_environment.js` which are apparently is the malware.
It seems many of their other NPM packages also have the same problem. https://www.npmjs.com/~timgl (all published 5 hours ago)
Looking forward to the post-mortem.
1. Malware uses a "preinstall" NPM script, which is triggered upon you running `npm install`.
2. Malware installs `bun`.
3. Then it installs and starts `trufflehog` (a tool for scanning code for secrets, API keys, passwords, etc.).
We've rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you're on the latest version of our SDKs.
We're still figuring out how this key got compromised, and we'll follow up with a post-mortem. We'll update status.posthog.com with more updates as well.