Toptal's GitHub organization account was compromised by hackers, who used their access to publish ten malicious packages on the Node Package Manager (NPM) index, BleepingComputer reports.
Attackers hijacked Toptals GitHub organization and quickly made all 73 repositories public, exposing private source code and internal projects, and modified the Picasso project to include malicious code. The compromised packages contained malware that stole GitHub authentication tokens and then attempted to wipe victims systems. They published trojanized packages under Toptals name, which were downloaded around 5,000 times. The malware used preinstall scripts to exfiltrate CLI tokens and postinstall scripts to erase files on Linux or Windows systems. Code security firm Socket reported that Toptal deprecated the infected packages on July 23 and rolled back to safe versions, though no public warning was issued. The initial compromise method is unknown, but theories include phishing or insider threats. Developers are urged to uninstall the affected versions and revert to clean releases immediately.
Attackers hijacked Toptals GitHub organization and quickly made all 73 repositories public, exposing private source code and internal projects, and modified the Picasso project to include malicious code. The compromised packages contained malware that stole GitHub authentication tokens and then attempted to wipe victims systems. They published trojanized packages under Toptals name, which were downloaded around 5,000 times. The malware used preinstall scripts to exfiltrate CLI tokens and postinstall scripts to erase files on Linux or Windows systems. Code security firm Socket reported that Toptal deprecated the infected packages on July 23 and rolled back to safe versions, though no public warning was issued. The initial compromise method is unknown, but theories include phishing or insider threats. Developers are urged to uninstall the affected versions and revert to clean releases immediately.
