Freelance development company Toptal found delivering malicious software following a breach in their GitHub account
In a recent cybersecurity incident, attackers managed to infiltrate Toptal's GitHub account and publish malicious npm packages. These packages, designed to steal data from developers, were first publicly noted on July 23, 2025.
Timeline of the Attack and Response
The breach was quickly discovered, and the hackers gained access to and modified Toptal’s GitHub repositories with malicious npm packages. Shortly after, security researchers from Socket discovered that these malicious packages were downloaded around 5,000 times. However, Toptal claimed that these downloads were mostly automated security scans rather than actual user installs.
Toptal promptly took down the infected repositories but did not initially publish a detailed timeline for the attack and remediation. The company also stressed that no customers or individuals were affected as these packages are "hardly used (if used at all) outside of Toptal."
Initial Compromise Vector
The attackers breached Toptal’s GitHub account itself, which was the initial point of compromise, allowing direct insertion of malicious npm packages into developer tooling repositories.
Affected npm Packages
The compromised code was found within malicious npm packages connected to Toptal's Picasso developer toolbox. Specific package names were not detailed in the publicly available reports, but the malicious payload was embedded in files within these packages.
Nature of the Malicious Code
The inserted code allowed attackers to steal GitHub authentication tokens, maintain persistent control over compromised repositories and accounts, and download additional malware via a backdoor mechanism.
Impact
Although downloads numbered about 5,000, these mainly involved automated security scans rather than real-world infections. Toptal stated no known impact on customers, companies, or individual users, given the limited usage of the affected packages beyond Toptal’s internal developer environment.
Conclusion
This attack underscores the risk of supply chain compromise through trusted developer repositories and the need for strict access controls and monitoring on critical code hosting platforms. Socket's team contacted Toptal regarding the incident but have not received a response at the time of publication.
The compromised npm packages include @toptal/picasso-tailwind, @toptal/picasso-charts, @toptal/picasso-shared, @toptal/picasso-provider, @toptal/picasso-select, @toptal/picasso-quote, @toptal/picasso-forms, @xene/core, @toptal/picasso-utils, and @toptal/picasso-typograph. Attackers have attempted similar intrusions, and npm packages are becoming an increasingly popular target.
Socket also advises organizations to review their npm audit logs and dependency lock files to identify if any of the compromised versions were pulled into their projects.
- The cybersecurity incident involving Toptal's GitHub account resulted in the publication of malicious npm packages designed to steal data from developers.
- The attackers managed to infiltrate Toptal's GitHub account, using it as the initial point of compromise, and directly inserted malicious npm packages into developer tooling repositories.
- The affected npm packages were found within malicious packages connected to Toptal's Picasso developer toolbox, with specific package names including @toptal/picasso-tailwind, @toptal/picasso-charts, and others.
- The malicious code embedded in these packages allowed attackers to steal GitHub authentication tokens, maintain persistent control, and download additional malware, emphasizing the need for robust security measures in software AI and data-and-cloud-computing technology, particularly in general news and crime-and-justice contexts.
