With all malicious package versions unpublished, we're now actively hardening our npmjs deployment pipeline, our GitHub Actions workflows, and all Node projects to prevent a future incident. A public postmortem will follow with more detailed information, next steps, and learnings.
Just to make sure, you want to delete node_modules and run `pnpm cache delete` if using pnpm to make sure you don't have any affected packages running.
We've unpublished all relevant versions, and have published newer versions for all JS SDKs. Make sure you're on the latest version of our JS SDKs.
We've unpublished all relevant versions, and have published newer versions for all JS SDKs. Make sure you're on the latest version of our JS SDKs.
The following packages were compromised: - posthog-node 4.18.1, 5.13.3 and 5.11.3 - posthog-js 1.297.3 - posthog-react-native 4.11.1 - posthog-docusaurus 2.0.6
Posted Nov 24, 2025 - 10:28 UTC
Update
We've identified that several of our packages contain compromised versions. We've unpublished the affected versions for our main repo, and are published new, safe versions of the packages.
Posted Nov 24, 2025 - 09:42 UTC
Update
We've identified that some client library packages published this morning contain compromised packages. We're working to patch and republish clean packages.
Posted Nov 24, 2025 - 09:39 UTC
Investigating
We've identified that a version of our Javascript packages contains compromised packages. We're working to patch and republish clean packages.