https://socket.dev/blog/toptal-s-github-organization-hijacked-10-malicious-packages-published
Unknown threat actors successfully breached Toptal’s GitHub organisation account in a sophisticated supply chain attack, using the compromised access to publish 10 malicious packages to the npm registry that collectively garnered approximately 5,000 downloads before being detected and removed. Security firm Socket reported that the attack also resulted in 73 repositories associated with the organisation being made public, exposing potentially sensitive code and information to unauthorised access.
The malicious packages, including @toptal/picasso-tailwind, @toptal/picasso-charts, and several other Picasso-branded libraries, contained identical malicious payloads embedded in their package.json files. The nefarious code specifically targeted preinstall and postinstall scripts to exfiltrate GitHub authentication tokens to a webhook.site endpoint before executing destructive commands designed to silently delete all directories and files on both Windows and Linux systems without requiring user interaction. The attack demonstrates the serious risks facing the open-source ecosystem, where legitimate-looking packages can carry devastating payloads that activate automatically during installation.
The incident highlights the escalating threat to software supply chains, occurring alongside other recent attacks targeting npm and Python Package Index repositories with surveillanceware capable of keystroke logging, screen capture, and credential theft. While the exact method of compromise remains unknown, potential attack vectors include credential compromise or insider threats with access to Toptal’s GitHub organisation. The affected packages have since been reverted to their latest safe versions, but the breach underscores the critical need for enhanced security measures and verification processes in open-source package repositories to protect developers and downstream users from similar attacks.