#Some Medusa dependencies and plugins appear to have been compromised

Hi everyone,

I’m not sure if this is the right place to share this message, and I apologize in advance if I’m overstepping or posting in the wrong forum.

While browsing Hacker News today, I came across this thread (https://news.ycombinator.com/item?id=46032539) linking to a list (https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24) of npm packages that have been compromised. Searching for “medusa” keyword using the browser’s find tool reveals eight affected packages:

• medusa-plugin-momo
• medusa-plugin-announcement
• medusa-plugin-zalopay
• @kvytech/medusa-plugin-newsletter
• medusa-plugin-product-reviews-kvy
• @kvytech/medusa-plugin-announcement
• @kvytech/medusa-plugin-management
• @kvytech/medusa-plugin-product-reviews

However, simply having the "medusa" prefix doesn’t necessarily confirm that these are Medusa plugins. There’s also one Medusa dependency, "posthog-node", that might impact the Medusa platform itself, depending on the version.

I'd recommend creating an issue for each of those plugin repos and report this issue. This seems pretty serious as the malware's goal is to read project secrets

After a deeper look, it appears those codebases are not public on GitHub

I think the main concern is the posthog which, I found, is part of the Medusa core. They've (posthog) rolled the keys after the incident and published new versions of their packages.

Maybe Posthog needs to be alerted

They are active in the thread (https://news.ycombinator.com/item?id=46032650). They seem to be on top of the issue.