GHSA-6VHH-4XW6-H2H2 Element Call reports full URLs of visited pages to analytics server

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initialpersoninfo, $sessionentryurl, and $currenturl were found ...

Element Call reports full URLs of visited pages to analytics server

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initialpersoninfo, $sessionentryurl, and $currenturl were found ...

PT-2026-48683

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initial person info, $session entry url, and $current url were...

CVE-2022-0645

Open redirect vulnerability via endpoint authorizeandredirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The package was flagged as malicious during the Sha1-hulud supply chain attack. Although the Sha1-hulud IoCs are not present within the package, the contents of the affected version were removed from the officia...

@medusajs/medusa (>=2.10.0 <=2.11.4-preview-20251124032825), @medusajs/medusa-oas-cli (>=2.10.0 <=2.11.4-preview-20251124000311) potentially affected by unknown CVE via @medusajs/analytics-posthog (>=2.10.0-preview-20250818120145 <=2.11.4-preview-20251124032825)

@medusajs/analytics-posthog NPM version =2.10.0-preview-20250818120145, =2.10.0, =2.10.0, =2.11.4-preview-20251124000311 Source cves: unknown CVE Source advisory: SNYK:JS-MEDUSAJSANALYTICSPOSTHOG-14137959...

Malicious code in org.mvnpm:posthog-node (Maven)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security ea90a5928d7667bed4fa9f6effbbe6c8d3ad6521ca51ca2b01551bc02373a7d2 This package was compromised by the Sha1-Hulud: The Second Coming NPM worm. The malicious payload steals tokens and credentials and...

EUVD-2025-199706

Malicious code in org.mvnpm:posthog-node Maven...

Malicious code in @posthog/heartbeat-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b0402071ebf395126c5e1e90681622f203d9744eca75a1f2061a6a2d030cdcc The package @posthog/heartbeat-plugin was found to contain malicious code. Source: google-open-source-security...

EUVD-2025-199446

Malicious code in @posthog/intercom-plugin npm...

EUVD-2025-199443

Malicious code in @posthog/migrator3000-plugin npm...

MAL-2025-191297 Malicious code in @posthog/netdata-event-processing (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3f3fdd5fe90ae01310b329b8e4892a4e79799685cdb45682fd4de592b402710e The package @posthog/netdata-event-processing was found to contain malicious code. Source: google-open-source-security...

EUVD-2025-199445

Malicious code in @posthog/laudspeaker-plugin npm...

MAL-2025-191300 Malicious code in @posthog/zendesk-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ee22feb7805e50708b86abe78fb463cafe5f1a3408f41297a18deafa6e110fb The package @posthog/zendesk-plugin was found to contain malicious code. Source: google-open-source-security...

MAL-2025-191293 Malicious code in @posthog/intercom-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 12c972a0fa0f1cf26c3a80f626651c44d7d2b9021694b8e4f965ff35b56b0429 The package @posthog/intercom-plugin was found to contain malicious code. Source: google-open-source-security...

Malicious code in @posthog/postgres-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10be24eebbc464a61788d5c151ce03171d4abe4b1cd7f27972fef642fc46deda The package @posthog/postgres-plugin was found to contain malicious code. Source: google-open-source-security...

EUVD-2025-199441

Malicious code in @posthog/postgres-plugin npm...

Malicious code in posthog-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2b422f278bf27e062b349e97360b6919e773122f21656f23d6da583ce7cb1a92 The package posthog-js was found to contain malicious code. Source: google-open-source-security...

MAL-2025-191295 Malicious code in @posthog/lemon-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bba1e7fb74f376bd3b56d7c910331af7b46fa8c392e697e08f858b837112e061 The package @posthog/lemon-ui was found to contain malicious code. Source: google-open-source-security...

Malicious code in @posthog/filter-out-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e29182ef33e7d24b6f775624daaa2eb546ce24fe4d768adf7c561c4e7084d5ff The package @posthog/filter-out-plugin was found to contain malicious code. Source: google-open-source-security...