Freelance dev shop Toptal caught serving malware after GitHub account break-in
(2025/07/25)
- Reference: 1753453687
- News link: https://www.theregister.co.uk/2025/07/25/toptal_malware_attack/
- Source link:
Developer freelancing platform Toptal has been inadvertently spreading malicious code after attackers broke into its systems and began distributing malware through developer accounts.
Toptal bills itself as an elite software developer freelance business where every applicant "is rigorously tested and vetted."
Yet it seems its security may not be as carefully maintained, at least according to a [1]report by security biz Socket that found it has been pushing out malware to around 5,000 users after unknown miscreants hijacked its GitHub account and placed malware in Toptal's [2]Picasso developer toolbox.
[3]
The attack code, embedded in package.json files, gave the hijackers the ability to steal GitHub authentication tokens, maintain persistent access on hijacked accounts, and set up a backdoor that would allow more malware to be downloaded. Socket identified the following npm packages as compromised:
@toptal/picasso-tailwind
@toptal/picasso-charts
@toptal/picasso-shared
@toptal/picasso-provider
@toptal/picasso-select
@toptal/picasso-quote
@toptal/picasso-forms
@xene/core
@toptal/picasso-utils
@toptal/picasso-typograph
"Our analysis identified malicious code in 10 packages out of the 73 repositories that went public. While our comprehensive scanning didn't detect additional malicious packages beyond these 10, we always recommend thorough verification as is part of security best practices," Kush Pandya, a Socket researcher, told The Register .
"For anyone who may have installed these packages, we advise immediately checking for malicious lifecycle scripts in package.json files, rotating any GitHub authentication tokens that might have been exposed, and scanning systems for signs of the destructive commands ( sudo rm -rf --no-preserve-root / on Unix systems). Organizations should review their npm audit logs and dependency lock files to identify if any of the compromised versions were pulled into their projects."
[4]
[5]
Socket contacted Toptal, and Pandya said the company took the infected repositories down quickly, but hasn't yet provided a timeline for when the attacks started, which would help potential victims know whether they were at risk or not. However, one report [6]noted the Picasso file swaps on Monday. Toptal has not responded to our questions for more detail about that nor how the attackers got in.
Socket said:
Toptal responded quickly once the compromise was identified and deprecated the malicious package versions and reverted to their last stable versions, preventing further distribution of the malicious code. This rapid response likely prevented significant additional damage to the developer community.
Socket's team contacted Toptal regarding this incident but have not received a response at the time of publication.
"Our analysis hasn't identified the initial compromise vector," Pandya told us. "We've examined the attack patterns and compared them to recent npm supply chain attacks like the phishing campaigns that hit [7]prettier and the 'is' package hijacking."
On Tuesday, Socket reported that the "is" npm package was also infected with JavaScript malware that was capable of running on Windows, macOS and Linux. Similar malware was also found in the prettier code formatter.
[8]
"The tight five-minute window for the repository changes suggests either automated tooling or someone with elevated access, but without additional forensic evidence from Toptal's side, we can't determine whether this was credential compromise, insider threat, or a variant of the ongoing phishing campaigns," Pandya said.
This isn't the first time attackers have [9]attempted such an intrusion, and npm packages are becoming an increasingly popular target.
[10]Not pretty, not Windows-only: npm phishing attack laces popular packages with malware
[11]GitHub supply chain attack spills secrets from 23,000 projects
[12]Ripple NPM supply chain attack hunts for private keys
[13]AI code helpers just can't stop inventing package names
The use of AI to help coders isn't helping, since [14]similar package poisoning attacks have been used against so-called smart AI coding systems. GitHub is under increasing levels of attack from [15]typosquatting techniques , and they are proving difficult to stop.
The only answer is to check and check again, but that requires getting past the Layer Eight (ie, human) barrier, and that's never really worked.
Last year, Toptal [16]reportedly laid off 70 percent of its engineering team. This may not have been a smart decision in light of this week's events. ®
Get our [17]Tech Resources
[1] https://socket.dev/blog/toptal-s-github-organization-hijacked-10-malicious-packages-published
[2] https://github.com/toptal/picasso
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIZNK9yrcYQB0dTHxTfk8QAAAJY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNK9yrcYQB0dTHxTfk8QAAAJY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNK9yrcYQB0dTHxTfk8QAAAJY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://x.com/adnanthekhan/status/1947423547959157115
[7] https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNK9yrcYQB0dTHxTfk8QAAAJY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/
[10] https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/
[11] https://www.theregister.com/2025/03/17/supply_chain_attack_github/
[12] https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/
[13] https://www.theregister.com/2024/09/30/ai_code_helpers_invent_packages/
[14] https://www.theregister.com/2025/03/17/supply_chain_attack_github/
[15] https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/
[16] https://www.freelanceinformer.com/news/toptal-layoffs-a-wake-up-call-for-freelancers/
[17] https://whitepapers.theregister.com/
Toptal bills itself as an elite software developer freelance business where every applicant "is rigorously tested and vetted."
Yet it seems its security may not be as carefully maintained, at least according to a [1]report by security biz Socket that found it has been pushing out malware to around 5,000 users after unknown miscreants hijacked its GitHub account and placed malware in Toptal's [2]Picasso developer toolbox.
[3]
The attack code, embedded in package.json files, gave the hijackers the ability to steal GitHub authentication tokens, maintain persistent access on hijacked accounts, and set up a backdoor that would allow more malware to be downloaded. Socket identified the following npm packages as compromised:
@toptal/picasso-tailwind
@toptal/picasso-charts
@toptal/picasso-shared
@toptal/picasso-provider
@toptal/picasso-select
@toptal/picasso-quote
@toptal/picasso-forms
@xene/core
@toptal/picasso-utils
@toptal/picasso-typograph
"Our analysis identified malicious code in 10 packages out of the 73 repositories that went public. While our comprehensive scanning didn't detect additional malicious packages beyond these 10, we always recommend thorough verification as is part of security best practices," Kush Pandya, a Socket researcher, told The Register .
"For anyone who may have installed these packages, we advise immediately checking for malicious lifecycle scripts in package.json files, rotating any GitHub authentication tokens that might have been exposed, and scanning systems for signs of the destructive commands ( sudo rm -rf --no-preserve-root / on Unix systems). Organizations should review their npm audit logs and dependency lock files to identify if any of the compromised versions were pulled into their projects."
[4]
[5]
Socket contacted Toptal, and Pandya said the company took the infected repositories down quickly, but hasn't yet provided a timeline for when the attacks started, which would help potential victims know whether they were at risk or not. However, one report [6]noted the Picasso file swaps on Monday. Toptal has not responded to our questions for more detail about that nor how the attackers got in.
Socket said:
Toptal responded quickly once the compromise was identified and deprecated the malicious package versions and reverted to their last stable versions, preventing further distribution of the malicious code. This rapid response likely prevented significant additional damage to the developer community.
Socket's team contacted Toptal regarding this incident but have not received a response at the time of publication.
"Our analysis hasn't identified the initial compromise vector," Pandya told us. "We've examined the attack patterns and compared them to recent npm supply chain attacks like the phishing campaigns that hit [7]prettier and the 'is' package hijacking."
On Tuesday, Socket reported that the "is" npm package was also infected with JavaScript malware that was capable of running on Windows, macOS and Linux. Similar malware was also found in the prettier code formatter.
[8]
"The tight five-minute window for the repository changes suggests either automated tooling or someone with elevated access, but without additional forensic evidence from Toptal's side, we can't determine whether this was credential compromise, insider threat, or a variant of the ongoing phishing campaigns," Pandya said.
This isn't the first time attackers have [9]attempted such an intrusion, and npm packages are becoming an increasingly popular target.
[10]Not pretty, not Windows-only: npm phishing attack laces popular packages with malware
[11]GitHub supply chain attack spills secrets from 23,000 projects
[12]Ripple NPM supply chain attack hunts for private keys
[13]AI code helpers just can't stop inventing package names
The use of AI to help coders isn't helping, since [14]similar package poisoning attacks have been used against so-called smart AI coding systems. GitHub is under increasing levels of attack from [15]typosquatting techniques , and they are proving difficult to stop.
The only answer is to check and check again, but that requires getting past the Layer Eight (ie, human) barrier, and that's never really worked.
Last year, Toptal [16]reportedly laid off 70 percent of its engineering team. This may not have been a smart decision in light of this week's events. ®
Get our [17]Tech Resources
[1] https://socket.dev/blog/toptal-s-github-organization-hijacked-10-malicious-packages-published
[2] https://github.com/toptal/picasso
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIZNK9yrcYQB0dTHxTfk8QAAAJY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNK9yrcYQB0dTHxTfk8QAAAJY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNK9yrcYQB0dTHxTfk8QAAAJY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://x.com/adnanthekhan/status/1947423547959157115
[7] https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNK9yrcYQB0dTHxTfk8QAAAJY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/
[10] https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/
[11] https://www.theregister.com/2025/03/17/supply_chain_attack_github/
[12] https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/
[13] https://www.theregister.com/2024/09/30/ai_code_helpers_invent_packages/
[14] https://www.theregister.com/2025/03/17/supply_chain_attack_github/
[15] https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/
[16] https://www.freelanceinformer.com/news/toptal-layoffs-a-wake-up-call-for-freelancers/
[17] https://whitepapers.theregister.com/
Re: Amplification factor
Kurgan
That's how supply chain attacks work. And that's why they are the most rewarding ones; you break into one system, you affect thousands.
Amplification factor
I have no idea how Toptal works in particular, I'm assuming these packages are meant to be used by their freelance devs. To me this looks like a fairly creative way to amplify your attack reach. Getting GitHub access tokens from freelance developers has the potential to snowball into access to codebases from various different clients.
Similar to breaching an MSP in a way.