PostHog Details Massive Shai-Hulud 2.0 npm Worm Attack on Developer Ecosystem
2025-12-30 16:49:59
PostHog has described the Shai-Hulud 2.0 incident as the largest and most severe security breach it has ever faced. The attack involved malicious releases injected into its JavaScript SDKs, which were designed to automatically steal developer credentials and propagate like a worm across the ecosystem.
According to PostHog’s postmortem, the compromised packages—including posthog-node, posthog-js, and posthog-react-native—contained a pre-install script. This script executed automatically when the package was installed, running TruffleHog to scan for secrets such as npm and GitHub credentials. Any discovered credentials were exfiltrated to public GitHub repositories, then reused to publish additional malicious packages, enabling the worm to spread rapidly.
Security researchers at Wiz, who identified the attack, reported that over 25,000 developers had secrets compromised within three days. Beyond PostHog, affected packages included those maintained by Zapier, AsyncAPI, ENS Domains, and Postman, many of which have thousands of weekly downloads.
Unlike typical trojans, Shai-Hulud 2.0 functions as a full-blown worm. Once a compromised package is installed, it can steal cloud credentials (AWS, Azure, GCP), CI/CD secrets, environment variables, and other sensitive data from developer machines or build systems, creating widespread risk across multiple projects.
PostHog responded by revoking all compromised tokens, removing the affected package versions, and issuing “known-good” releases. However, the incident highlighted a deeper structural flaw: a misconfigured CI/CD workflow that allowed malicious pull requests to execute with full privileges. A single malicious PR triggered automation scripts that exfiltrated a bot’s personal-access token with organization-wide write permissions. Using these credentials, the attacker modified the lint workflow to harvest all GitHub secrets, including the npm publishing token, which was then used to push trojanized SDKs—completing the worm’s propagation cycle.
To prevent future incidents, PostHog is adopting several hardening measures, including:
This incident serves as a cautionary tale about the dangers of over-permissioned bots, automated workflows, and rapidly updating dependencies. Even small misconfigurations can give attackers the tools to turn standard development practices into vectors for large-scale credential theft.
Z2u.com is the best PostHog Account supplier and we can ship PostHog Account safely and quickly. We always with fast delivery, cheapest price and best customer service! And all the PostHog Account we are selling are handcrafted and are carefully picked by pro team, which makes it more safer for trading. If you have any questions about buying PostHog Account for sale, you can contact our 24/7 live chat.
According to PostHog’s postmortem, the compromised packages—including posthog-node, posthog-js, and posthog-react-native—contained a pre-install script. This script executed automatically when the package was installed, running TruffleHog to scan for secrets such as npm and GitHub credentials. Any discovered credentials were exfiltrated to public GitHub repositories, then reused to publish additional malicious packages, enabling the worm to spread rapidly.
Security researchers at Wiz, who identified the attack, reported that over 25,000 developers had secrets compromised within three days. Beyond PostHog, affected packages included those maintained by Zapier, AsyncAPI, ENS Domains, and Postman, many of which have thousands of weekly downloads.
Unlike typical trojans, Shai-Hulud 2.0 functions as a full-blown worm. Once a compromised package is installed, it can steal cloud credentials (AWS, Azure, GCP), CI/CD secrets, environment variables, and other sensitive data from developer machines or build systems, creating widespread risk across multiple projects.
PostHog responded by revoking all compromised tokens, removing the affected package versions, and issuing “known-good” releases. However, the incident highlighted a deeper structural flaw: a misconfigured CI/CD workflow that allowed malicious pull requests to execute with full privileges. A single malicious PR triggered automation scripts that exfiltrated a bot’s personal-access token with organization-wide write permissions. Using these credentials, the attacker modified the lint workflow to harvest all GitHub secrets, including the npm publishing token, which was then used to push trojanized SDKs—completing the worm’s propagation cycle.
To prevent future incidents, PostHog is adopting several hardening measures, including:
- Implementing a trusted publisher model for npm releases.
- Overhauling workflow and change review processes.
- Disabling install-script execution in CI/CD pipelines.
- Strengthening privilege separation and automation safeguards.
This incident serves as a cautionary tale about the dangers of over-permissioned bots, automated workflows, and rapidly updating dependencies. Even small misconfigurations can give attackers the tools to turn standard development practices into vectors for large-scale credential theft.
Z2u.com is the best PostHog Account supplier and we can ship PostHog Account safely and quickly. We always with fast delivery, cheapest price and best customer service! And all the PostHog Account we are selling are handcrafted and are carefully picked by pro team, which makes it more safer for trading. If you have any questions about buying PostHog Account for sale, you can contact our 24/7 live chat.