Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index.
The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems.
Toptal is a freelance talent marketplace that connects companies with software developers, designers, and finance experts. The company also maintains internal developer tools and design systems, most notably Picasso, which they make available through GitHub and NPM.
Attackers hijacked Toptal's GitHub organization on July 20, and almost immediately made public all 73 of the repositories available, exposing private projects and source code.
In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates.
The malicious packages and modified versions are:
@toptal/picasso-tailwind (v3.1.0)
@toptal/picasso-charts (v59.1.4)
@toptal/picasso-shared (v15.1.0)
@toptal/picasso-provider (v5.1.1)
... continue reading