November 29, 2025
Worms vs. Website: Who broke worse?
Post-mortem of Shai-Hulud attack on November 24th, 2025
A worm hit PostHog’s packages — commenters roast the website and ask how the tokens leaked
TLDR: A fast-spreading worm compromised PostHog’s packages via a stolen bot token and a sneaky pull request, but fixes landed within hours. Commenters mostly roasted the site’s design while debating whether it was phishing, demanding the risky workflow be shared, and trading tips to delay auto-updates for safety.
A self-spreading bug called Shai-Hulud 2.0 slipped into PostHog’s JavaScript packages at dawn, scooping up saved passwords and publishing booby-trapped updates. PostHog yanked the bad versions within hours, revoked keys, and said script-tag users were safe. The twist: it wasn’t phishing — a sneaky pull request snagged a bot’s GitHub token and secrets from their build system. The write-up owned the mistake and suggested waiting a few days before auto-updating, a simple safety trick.
But the comments? Absolute chaos. The loudest chorus wasn’t about malware — it was about the website. Folks called it “unusable on Safari,” said the design “feels like a joke that went too far,” and ranted about “too many bars” hogging already tiny screens. Amid the roast, some gave kudos for the transparency and begged PostHog to release the original risky workflow after a security tool’s warning was suppressed as a “false positive.” Others debated whether this was a classic supply-chain mess or just one bad workflow away from disaster. The mood: solid post-mortem, spicy UX takedowns, and a community split between “great write-up” and “please fix your site before the next worm finds it.”
Key Points
- •At 4:11 AM UTC on Nov 24, 2025, a Shai-Hulud 2.0 worm compromised several PostHog npm packages via a malicious preinstall script.
- •The script used Trufflehog to find credentials, exfiltrated them to a public GitHub repo, and used npm credentials to publish more malicious packages.
- •By 9:30 AM UTC, PostHog removed malicious packages, revoked tokens, and began rotating potentially affected credentials.
- •Only npm-distributed JavaScript SDKs were affected; the script version of PostHog was not impacted.
- •Root cause: an attacker stole a GitHub bot’s Personal Access Token and CI secrets (including an npm token) via a PR workflow modification days before the attack.