At 4:11 AM UTC on November 24th, a number of our SDKs and other packages were compromised, with a malicious self-replicating worm - Shai-Hulud 2.0. New versions were published to npm, which contained a preinstall script that:
Scanned the environment the install script was running in for credentials of any kind using Trufflehog, an open-source security tool that searches codebases, Git histories, and other data sources for secrets. Exfiltrated those credentials by creating a new public repository on GitHub and pushing the credentials to it. Used any npm credentials found to publish malicious packages to npm, propagating the breach.
By 9:30 AM UTC, we had identified the malicious packages, deleted them, and revoked the tokens used to publish them. We also began the process of rolling all potentially compromised credentials pre-emptively, although we had not at the time established how our own npm credentials had been compromised (we have now, details below).
The attack only affected our Javascript SDKs published in npm. The most relevant compromised packages and versions were:
posthog-node 4.18.1, 5.13.3 and 5.11.3
4.18.1, 5.13.3 and 5.11.3 posthog-js 1.297.3
1.297.3 posthog-react-native 4.11.1
4.11.1 posthog-docusaurus 2.0.6
2.0.6 posthog-react-native-session-replay @1.2.2
@1.2.2 @posthog/agent @1.24.1
... continue reading