PostHog admits Shai-Hulud 2.0 was its biggest ever security bungle

PostHog says the Shai-Hulud 2.0 npm worm compromise was "the largest and most impactful security incident" it's ever experienced after attackers slipped malicious releases into its JavaScript SDKs and tried to auto-loot developer credentials.

In a postmortem released by PostHog, one of the various package maintainers impacted by Shai-Hulud 2.0, the company says contaminated packages – which included core SDKs like posthog-node, posthog-js, and posthog-react-native – contained a pre-install script that ran automatically when the software was installed. That script ran TruffleHog to scan for credentials, exfiltrated any found secrets to new public GitHub repositories, then used stolen npm credentials to publish further malicious packages – enabling the worm to spread.

According to security boffins at Wiz who uncovered the second coming of the Shai-Hulud campaign, more than 25,000 developers had their secrets compromised within three days. Along with PostHog, affected packages include those provided by Zapier, AsyncAPI, ENS ...