"The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js." "This means the PostHog project has compromised releases in both the JavaScript/npm and Java/Maven ecosystems, driven by the same Shai Hulud v2 payload,""
"It's worth noting that the Maven Central package is not published by PostHog itself. Rather, the "org.mvnpm" coordinates are generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The Maven Central said they are working to implement extra protections to prevent already known compromised npm components from being rebundled. As of November 25, 2025, 22:44 UTC, all mirrored copies have been purged."
Shai-Hulud v2 has compromised more than 830 npm packages and expanded into the Maven ecosystem via a mirrored artifact org.mvnpm:posthog-node:4.18.1 that embeds setup_bun.js and bun_environment.js. Releases tied to the PostHog project are compromised across JavaScript/npm and Java/Maven ecosystems. The org.mvnpm coordinates are generated by an automated mvnpm rebundling process rather than by PostHog. Maven Central purged mirrored copies and is implementing extra protections. The second-wave payload targets API keys, cloud credentials, npm and GitHub tokens, and facilitates worm-like lateral supply-chain compromise. The attack backdoors developer machines, steals secrets, and exfiltrates them to attacker-controlled GitHub repositories.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]