Unauthorized intruders breach GitHub account of freelance development company Toptal, resulting in the distribution of malware.
Toptal's Picasso Developer Toolbox Compromised in Malware Attack
Toptal's Picasso developer toolbox has been compromised, with attackers embedding malicious code in files. This malware allowed the hijackers to steal GitHub authentication tokens, maintain persistent access on hijacked accounts, and set up a backdoor for downloading more malware[1][2].
The attack began on July 20, 2025, when the attackers compromised Toptal's GitHub repository. After breaching GitHub, they published 10 malicious npm packages that were downloaded around 5,000 times[1][2]. Toptal claims that many of these downloads were automated security scans rather than active users.
The malicious code was found in 10 out of 73 public repositories on Toptal's GitHub account, including packages such as , , and . The company has since taken the infected repositories down[1][2].
The malware incidents are similar to recent npm supply chain attacks like the phishing campaigns that hit the 'prettier' and the 'is' package hijacking[1]. The "is" npm package and the prettier code formatter have been found to contain JavaScript malware[1].
Organizations should review their npm audit logs and dependency lock files to identify if any of the compromised versions were pulled into their projects. They should also check for malicious lifecycle scripts in package.json files, rotate any exposed GitHub authentication tokens, and scan systems for signs of destructive commands[1].
It's important to note that the initial compromise vector remains unidentified, suggesting either automated tooling or someone with elevated access[1]. The use of AI to help coders may not be helping, as similar package poisoning attacks have been used against so-called smart AI coding systems[1].
GitHub is under increasing levels of attack from typosquatting techniques, and they are proving difficult to stop[1]. Socket's team contacted Toptal regarding the malware incident but received no response at the time of publication[1].
Toptal has not yet provided a timeline for when the attacks started, but it has been reported that the company laid off 70 percent of its engineering team last year[1]. Despite the incident, Toptal claims no users were affected by this incident[1][2].
[1] - Source: TechCrunch [2] - Source: Toptal's official statement
- AI-assisted coding tools, like those used by Toptal, have become a potential target in cybersecurity threats, as shown by the recent malware attack on their Picasso developer toolbox.
- The compromise of Toptal's Picasso toolbox led to the theft of GitHub authentication tokens, setting up a backdoor for more malware, and posing a risk in the realm of data-and-cloud-computing.
- In the midst of increasing levels of cyber attacks, such as typo-squatting techniques on GitHub, it is crucial for organizations to review their npm audit logs, rotate exposed GitHub authentication tokens, and scan systems for signs of destructive commands to maintain software security.
- The general-news media outlets reported that Toptal, after suffering from a malware attack, has faced criticism for layoffs of 70% of its engineering team, sparking concerns about the company's ability to address security vulnerabilities in the future.
