posthog-node compromised with credential-harvesting malware
On November 25th 2025, the Shai-Hulud 2.0 supply chain attack spread to Maven Central through automated mirroring of compromised npm packages. The org.mvnpm:posthog-node:4.18.1 package contains malicious code that attempts to harvest credentials and infect GitHub repositories. The malware was automatically mirrored from the compromised npm version via the mvnpm process that rebuilds npm packages as Maven artifacts. The malicious software executes during the build phase and attempts to harvest credentials …