| ▲ | timgl 7 hours ago |
| co-founder of PostHog here. We were a victim of this attack. We had a bunch of packages published a couple of hours ago. The main packages/versions affected were: - posthog-node 4.18.1, 5.13.3 and 5.11.3 - posthog-js 1.297.3 - posthog-react-native 4.11.1 - posthog-docusaurus 2.0.6 We've rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you're on the latest version of our SDKs. We're still figuring out how this key got compromised, and we'll follow up with a post-mortem. We'll update status.posthog.com with more updates as well. |
|
| ▲ | bilalq 4 hours ago | parent | next [-] |
| You're probably already planning this, but please setup an alarm to fire off if a new package release is published that is not correlated with a CI/CD run. |
| |
| ▲ | twistedpair 29 minutes ago | parent | next [-] | | This is built in NPM. You can get an email on every pkg publishing. Sure, it might be a little bit of noise, but if you get a notice @ 3am of an unexpected publishing, you can jump on unpublishing it. | |
| ▲ | euph0ria 2 hours ago | parent | prev [-] | | Very nice way of putting it, kudos! |
|
|
| ▲ | brabel 7 hours ago | parent | prev | next [-] |
| If anything people should use an older version of the packages. Your newest versions had just been compromised, why should anyone believe this time and next time it will be different?! |
| |
| ▲ | timgl 7 hours ago | parent [-] | | The packages were published using a compromised key directly, not through our ci/cd. We rolled the key, and published a new clean version from our repo through our CI/CD: https://github.com/PostHog/posthog-js/actions/runs/196303581... | | |
| ▲ | progbits 6 hours ago | parent [-] | | Why do you keep using token auth? This is unacceptable negligence these days. NPM supports GitHub workflow OIDC and you can make that required, disabling all token access. | | |
| ▲ | timgl 6 hours ago | parent | next [-] | | Yep, we are moving to workflow OIDC as the next step in recovery. | |
| ▲ | junon 5 hours ago | parent | prev | next [-] | | OIDC is not a silver bullet either and has its own set of vectors to consider too. If it works for your org model then great, but it doesn't solve every common scenario. | | |
| ▲ | woodruffw 4 hours ago | parent [-] | | Trusted Publishing addresses the vector here, which is arbitrary persistence and delayed use of credentials by attackers. You're right that it's not a silver bullet (anything claiming to be one is almost certainly a financially induced lie), but it eliminates/foreshortens the attack staging window significantly. |
| |
| ▲ | huflungdung 5 hours ago | parent | prev [-] | | [dead] |
|
|
|
|
| ▲ | silverlight 2 hours ago | parent | prev | next [-] |
| Did the client side JS being infected produce any issues which would have affected end users? As in if a web owner were on an affected version and deployed during the window would the end user of their site have had any negative impact? |
| |
| ▲ | timgl 7 minutes ago | parent [-] | | No, just the host that was running the package (the exploit was pretty generic and not targeted at PostHog specifically). In fact, so far we think there were 0 production deployments of PostHog because the package was only live for a little bit. |
|
|
| ▲ | Y_Y 6 hours ago | parent | prev | next [-] |
| > so make sure you're on the latest version of our SDKs. Probably even safer to not have been on the latest version in the first place. Or safer again not to use software this vulnerable. |
| |
| ▲ | meesles 3 hours ago | parent | next [-] | | As a user of Posthog, this statement is absurd:
> Or safer again not to use software this vulnerable. Nearly all software you use is susceptible to vulnerabilities, whether it's malicious or enterprise taking away your rights. It's in bad taste to make a comment about "not using software this vulnerable" when the issue was widespread in the ecosystem and the vendor is already being transparent about it. The alternative is you shame them into not sharing this information, and we're all worse for it. | |
| ▲ | tclancy 6 hours ago | parent | prev [-] | | Popularity and vulnerability go hand in hand though. You could be pretty safe by only using packages with zero stars on GitHub, but would you be happy or productive? |
|
|
| ▲ | spiderfarmer 7 hours ago | parent | prev | next [-] |
| If we don't know how it got compromised, chances are this attack is still spreading? |
|
| ▲ | _alternator_ 7 hours ago | parent | prev [-] |
| Glad you updated on this front-page post. Your Twitter post is buried on p3 for me right now. Good luck on the recovery and hopefully this helps someone. |
