25.07.2025
2 min
697
Toptal, a company specializing in freelance development talent, was the victim of a cyberattack in which attackers gained access to its GitHub organization and posted 10 malicious npm packages with code that steals GitHub CLI authentication tokens and destroys files on victims’ systems. In total, the packages were downloaded more than 5,000 times.
The breach occurred on July 20, when hackers not only gained access to Toptal’s GitHub account, but also exposed 73 private repositories, including the popular Picasso library. Over the following days, the attackers injected malicious code into the package.json file, adding two scripts: preinstall to steal data and postinstall to destroy the contents of the systems.
The list of infected packages covers key components of the Toptal ecosystem, including:
@toptal/picasso-tailwind
@toptal/picasso-forms
@toptal/picasso-typography
The preinstall script sent GitHub CLI tokens to the attacker’s webhook, after which the postinstall script executed a command to destroy all files (`sudo rm -rf –no-preserve-root /` for Linux or similar for Windows). The Socket platform reported that the malicious packages were deactivated on July 23, but Toptal did not issue an official statement to its users.
Toptal is a well-known global marketplace for software development, design, and finance professionals. The company actively uses GitHub and npm to distribute internal tools. According to experts, the hack could have been carried out through phishing, an insider threat, or a breach of access. The problem is even more threatening, given that we are talking about a supply-chain attack that can affect hundreds of third-party projects that depend on infected packages.
This incident has become another alarm bell for the open-source community and DevOps teams: automatic package updates without careful verification can have fatal consequences. Vulnerabilities in the library distribution system, especially with trust in large companies, create ideal conditions for attackers. Users are advised to immediately roll back to safe versions and check their systems for signs of compromise.
