EUVD-2025-199706

Malicious code in org.mvnpm:posthog-node Maven...

Malicious code in org.mvnpm:posthog-node (Maven)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security ea90a5928d7667bed4fa9f6effbbe6c8d3ad6521ca51ca2b01551bc02373a7d2 This package was compromised by the Sha1-Hulud: The Second Coming NPM worm. The malicious payload steals tokens and credentials and...

Malicious code in posthog-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2ec4a50c0b553e9abbcc25147ad50014cf1488415e1ec8e3234f3e9bb3cc24e The package posthog-node was found to contain malicious code. Source: google-open-source-security...

MAL-2025-190925 Malicious code in posthog-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2ec4a50c0b553e9abbcc25147ad50014cf1488415e1ec8e3234f3e9bb3cc24e The package posthog-node was found to contain malicious code. Source: google-open-source-security...

@localstack/localstack-mcp-server (>=0.2.0 <=0.4.0), @posthog/nuxt (>=0.0.5 <=1.2.8) +4 more potentially affected by unknown CVE via posthog-node (>=5.0.0 <=5.13.2)

posthog-node NPM version =5.0.0, =0.2.0, =0.0.5, =0.62.0, =20.7.1-alpha.134, =0.0.0-client-js-listmessages-agentid-fix-20251119175531, =1.0.0-beta.9 Source cves: unknown CVE Source advisory: OSV:MAL-2025-190925...

@agent-relay/daemon (>=2.0.5 <=2.3.14), @agent-relay/dashboard (>=2.0.18 <=2.0.19) +339 more potentially affected by unknown CVE via posthog-node (>=4.0.0 <=4.18.0)

posthog-node NPM version =4.0.0, =2.0.5, =2.0.18, =2.0.5, =2.0.5, =0.59.0, =1.0.0, =0.3.0, =1.0.0, =1.1.1, =0.1.6, =0.7.107, =0.1.0, =0.0.0-dev.7baee3d, =0.0.0-dev.acb62ef and more Source cves: unknown CVE Source advisory: OSV:MAL-2025-190925...

@localstack/localstack-mcp-server (>=0.2.0 <=0.4.0), @posthog/nuxt (>=0.0.5 <=1.2.8) +4 more potentially affected by unknown CVE via posthog-node (>=5.0.0 <=5.13.2)

posthog-node NPM version =5.0.0, =0.2.0, =0.0.5, =0.62.0, =20.7.1-alpha.134, =0.0.0-client-js-listmessages-agentid-fix-20251119175531, =1.0.0-beta.9 Source cves: unknown CVE Source advisory: SNYK:JS-POSTHOGNODE-14103346...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

@agent-relay/daemon (>=2.0.5 <=2.3.14), @agent-relay/dashboard (>=2.0.18 <=2.0.19) +339 more potentially affected by unknown CVE via posthog-node (>=4.0.0 <=4.18.0)

posthog-node NPM version =4.0.0, =2.0.5, =2.0.18, =2.0.5, =2.0.5, =0.59.0, =1.0.0, =0.3.0, =1.0.0, =1.1.1, =0.1.6, =0.7.107, =0.1.0, =0.0.0-dev.7baee3d, =0.0.0-dev.acb62ef and more Source cves: unknown CVE Source advisory: SNYK:JS-POSTHOGNODE-14103346...

com.alilitech:boot-plus-log (>=2.1.0 <=2.1.5), com.github.linyuzai:concept-plugin-spring-boot-starter (>=2.0.0 <=3.0.0) +19 more potentially affected by CVE-2025-27152 via org.webjars.npm:axios (>=1.15.2 <=1.7.2)

org.webjars.npm:axios MAVEN version =1.15.2, =2.1.0, =2.0.0, =1.0.3, =1.0.0, =2.1.1, =1.0.0, =1.0.0, =2.1.3, =2.0.0, =1.0.2, =4.22.2, =4.22.2, =0.0.1, =1.0.0 - org.webjars.npm:posthog-node =4.17.1 and more Source cves: CVE-2025-27152 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-9376923...