Shai-Hulud v2 Campaign Spreads From npm to Maven, Exposing Thousands of Secrets
Summary
The Shai-Hulud supply chain attack has escalated, now affecting the Maven ecosystem after previously compromising over 830 npm packages. The identified package, org.mvnpm:posthog-node:4.18.1, contains malicious components that pose significant risks to software security.
Original Article Summary
The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js." "
Impact
Affected products include the Maven Central package org.mvnpm:posthog-node version 4.18.1.
In the Wild
Yes
Timeline
Ongoing since the initial npm compromise and now expanded to Maven.
Remediation
Users are advised to remove the compromised package and monitor for updates from the Maven Central repository regarding this vulnerability.