The Shai-Hulud worm has spread beyond the npm ecosystem and was discovered in Maven . Socket specialists noticed an infected package on Maven Central containing the same malicious components used in the second wave of Shai-Hulud attacks. Experts have identified the org.mvnpm:posthog-node:4.18.1 package on Maven Central, which contains two components characteristic of Shai-Hulud: the setup_bun.js loader and the main payload bun_environment.js. Currently, this is the only Java package found containing this malware. “The PostHog project was compromised in both the JavaScript/npm and Java/Maven ecosystems, with the same payload, Shai-Hulud v2, being used in all cases,” the researchers write. It’s important to note