Hackers Breach Toptal's GitHub, Publish Malicious NPM Packages

Hackers compromised the GitHub account of freelance talent marketplace Toptal, gaining access to their entire repository of software, then injected malware into popular NPM packages.

Accessing the entire repository of a company to push malware via updates is a goal many hackers aspire to. If that company also happens to have a lot of popular software, the target is that much more enticing.

According to a Bleeping Computer report, hackers took over Toptal's GitHub account and immediately set 73 private repositories to public, exposing resources that are normally only available to the internal devs.

How the breach happened

It’s not yet clear how the attack was possible in the first place, but attackers used the unfettered access to insert malicious scripts into the widely used Picasso design system packages, which in turn pushed 10 infected NPM packages disguised as real updates.

The malicious packages included two hidden scripts:

Preinstall script: Extracted and sent developers' GitHub CLI authentication tokens directly to attackers via a webhook.

Post-install script: Attempted to delete victims' entire file systems:

On Linux: sudo rm -rf --no-preserve-root /

On Windows: rm /s /q

Socket's Threat Research Team, which observed the infected packages in the wild, estimated that around 5,000 downloads occurred before the Toptal team pulled the plug.

"Toptal responded quickly once the compromise was identified and deprecated the malicious package versions and reverted to their last stable versions, preventing further distribution of the malicious code. This rapid response likely prevented significant additional damage to the developer community," said Socket.

Toptal has yet to officially acknowledge the breach or the entire security incident.

Developers who installed the affected packages are advised to immediately revert to stable versions published before July 20 and to rotate or invalidate compromised GitHub tokens.