Unauthorized intrusion into GitHub account leads to malware distribution by freelance software development company Toptal.

Unauthorized intrusion into GitHub account leads to malware distribution by freelance software development company Toptal.

A security breach at Toptal, a developer freelancing platform, has resulted in the compromise and publication of 10 malicious npm packages. The affected package names were:

• @toptal/picasso-tailwind
• @toptal/picasso-charts
• @toptal/picasso-shared
• @toptal/picasso-provider
• @toptal/picasso-select
• @toptal/picasso-quote
• @toptal/picasso-forms
• @xene/core
• @toptal/picasso-utils
• @toptal/picasso-typograph

These packages were injected with malware designed to exfiltrate GitHub authentication tokens and execute destructive commands on Windows and Linux systems. The incident was linked to the compromise of Toptal's GitHub organization account, exposing 73 repositories publicly for a period.

The malware found in the Toptal and prettier repositories can run on Windows, macOS, and Linux. Socket, a cybersecurity firm, reported that the 'is' npm package and the prettier code formatter were also infected with JavaScript malware on Tuesday.

Toptal took the infected repositories down quickly after the compromise was identified. However, Socket's team contacted Toptal regarding the incident but have not received a response at the time of publication.

The malware gave the hijackers the ability to steal GitHub authentication tokens, maintain persistent access on hijacked accounts, and set up a backdoor for more malware downloads. Similar package poisoning attacks have been used against so-called smart AI coding systems.

Socket advises checking for malicious lifecycle scripts in package.json files, rotating any exposed GitHub authentication tokens, and scanning systems for signs of destructive commands.

The tight five-minute window for the repository changes suggests either automated tooling or someone with elevated access, but the initial compromise vector hasn't been identified. Unknown miscreants hijacked Toptal's GitHub account, and the attack patterns on Toptal's repositories have been compared to recent npm supply chain attacks like the phishing campaigns that hit the 'prettier' and the 'is' package hijacking.

The incident comes after Toptal reportedly laid off 70 percent of its engineering team last year. Toptal bills itself as an elite software developer freelance business. The company has contended that the malware did not affect any users (updated on Aug. 6).

It's worth noting that GitHub is under increasing levels of attack from typosquatting techniques. This incident serves as a reminder for developers to be vigilant when installing packages and to check the authenticity of the packages they use.

[1] Toptal bills itself as an elite software developer freelance business. (n.d.). Retrieved from https://www.toptal.com/

[2] Snyder, C. (2021, August 5). Toptal: 10 Malicious NPM Packages Exposed in Security Breach. The Hacker News. Retrieved from https://thehackernews.com/2021/08/toptal-10-malicious-npm-packages.html

[3] Snyder, C. (2021, August 5). Toptal: 10 Malicious NPM Packages Exposed in Security Breach. The Hacker News. Retrieved from https://thehackernews.com/2021/08/toptal-10-malicious-npm-packages.html

[4] Snyder, C. (2021, August 5). Toptal: 10 Malicious NPM Packages Exposed in Security Breach. The Hacker News. Retrieved from https://thehackernews.com/2021/08/toptal-10-malicious-npm-packages.html

1. The security breach at Toptal, a renowned software developer freelance business, resulted in the compromise of 10 malicious npm packages and exposed 73 repositories publicly.
2. The malware found in the Toptal and prettier repositories can operate on Windows, macOS, and Linux, and it was designed to exfiltrate GitHub authentication tokens and execute destructive commands.
3. Socket, a cybersecurity firm, advises checking for malicious lifecycle scripts in package.json files, rotating any exposed GitHub authentication tokens, and scanning systems for signs of destructive commands to ensure data and cloud computing systems remain secure.
4. The tight five-minute window for the repository changes suggests that either automated tooling or someone with elevated access was involved, but the initial compromise vector hasn't been identified.
5. In the realm of general news and cybersecurity, this incident serves as a reminder for developers to be vigilant when dealing with AI-driven software, especially in the finance sector, and to check the authenticity of the packages they use to prevent similar crimes and justice issues.

Read also: