co-founder of PostHog here. It looks like we were also a victim of this attack: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

We've rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you're on the latest version of our SDKs.

We're still figuring out how this key got compromised, and we'll follow up with a post-mortem. We'll update status.posthog.com with more updates as well.

Some more details:

1. Malware uses a "preinstall" NPM script, which is triggered upon you running `npm install`.

2. Malware installs `bun`.

3. Then it installs and starts `trufflehog` (a tool for scanning code for secrets, API keys, passwords, etc.).

here is the report - https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

Thank you for flagging this - we are actively working on it and will be back with an update!

Also:

It seems many of their other NPM packages also have the same problem. https://www.npmjs.com/~timgl (all published 5 hours ago)

Details:

In `package.json`, it has a script `"preinstall": "node setup_bun.js"` + files `setup_bun.js` and `bun_environment.js` which are apparently is the malware.

This feels like an impending disaster about to be unraveled in the Posthog npm packages.

Looking forward to the post-mortem.