GMS-2025-800: posthog-node compromised with credential-harvesting malware

On November 25th 2025, the Shai-Hulud 2.0 supply chain attack spread to Maven Central through automated mirroring of compromised npm packages. The org.mvnpm:posthog-node:4.18.1 package contains malicious code that attempts to harvest credentials and infect GitHub repositories. The malware was automatically mirrored from the compromised npm version via the mvnpm process that rebuilds npm packages as Maven artifacts. The malicious software executes during the build phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, Maven cache is cleared, target directories are removed and all dependencies be rolled back to previous versions.