Hackers Breach Toptal’s Github, Publish Malware-laced NPM Packages Targeting Developers
Hackers have compromised the GitHub organization account of Toptal, a global freelance talent marketplace, and published ten malicious packages on the Node Package Manager (NPM) registry in a targeted cyberattack that could have far-reaching consequences for developers worldwide.
The breach occurred on July 20, when attackers hijacked Toptal’s GitHub account and made all 73 of its repositories public, exposing private projects and internal source code. Shortly after, they injected malware into Toptal’s open-source design system, Picasso, and published the altered components on NPM, posing as legitimate updates under the trusted @toptal namespace.
The malicious packages, downloaded approximately 5,000 times before being flagged, included code designed to steal GitHub authentication tokens and then erase victims’ systems. The data exfiltration was executed through a ’preinstall’ script embedded in the package.json files, which transmitted the stolen tokens to an attacker-controlled webhook URL. Following this, a ’postinstall’ script attempted to wipe the user’s device, using destructive commands tailored to both Linux and Windows environments.
Among the affected packages were @toptal/picasso-tailwind, @toptal/picasso-charts, @toptal/picasso-forms, and several others, all of which were temporarily available via NPM under Toptal’s account. The attackers also published a package named @xene/core, expanding the footprint of the breach.
Security firm Socket, which first analyzed the incident, confirmed that Toptal deprecated the malicious versions and replaced them with clean releases by July 23. However, as of now, the company has not issued a public statement addressing the breach or warning users of the potential risk posed by the downloads.
The precise method used to gain access to Toptal’s GitHub organization remains unclear. Possibilities under consideration include phishing, credential theft, or insider compromise. The intrusion has raised concerns within the developer community, especially given the rapid spread and potential severity of the payloads involved.
Toptal, headquartered in the United States, connects clients with a vetted network of engineers, designers, and finance professionals. It also maintains several open-source tools and libraries that are widely used by developers around the world. Picasso, the company’s internal design system, is one of the key offerings exposed in this breach. BleepingComputer has reached out to Toptal for comment, but no response has been received at the time of publication.
