- Attackers breached Toptal’s GitHub organization and published 10 malicious npm packages.
- The packages aimed to steal GitHub tokens and erase user data, impacting about 5,000 downloads.
- Similar supply chain software attacks were found in both npm and PyPI repositories, distributing Malware that records keystrokes and accesses webcams.
- A separate incident targeted the Amazon Q Visual Studio Code extension, with code designed to wipe users’ files and cloud resources.
- All affected packages and tools have since been restored to safe versions, according to official statements.
Unknown attackers compromised the GitHub account of Toptal and released 10 harmful packages on the npm registry, putting thousands of users at risk. The attackers used this access to publish code designed to steal GitHub authentication tokens and delete data on victims’ machines. The activity also exposed 73 repositories related to the organization.
The malicious Node.js libraries, all containing the same harmful code in their installation scripts, were downloaded about 5,000 times before removal. Security company Socket reported, “The nefarious code has been found to specifically target the preinstall and postinstall scripts to exfiltrate the GitHub authentication token to a webhook[.]site endpoint and then silently remove all directories and files without requiring any user interaction on both Windows and Linux systems (‘rm /s /q’ or ‘sudo rm -rf –no-preserve-root /’).” The actual cause of the breach is not yet identified, but compromised credentials or a rogue insider are considered possible factors.
The affected packages include @toptal/picasso-tailwind, @toptal/picasso-charts, @toptal/picasso-shared, and others. After discovery, the npm repository was restored to safe package versions.
This breach coincided with another supply chain attack involving npm and PyPI repositories. Attackers distributed packages that embedded spyware into open-source developer tools. These packages logged keystrokes, captured screenshots and webcam images, and sent stolen data over communication channels like Slack, Gmail SMTP, and AWS Lambda endpoints. Downloads for these packages ranged from several hundred to tens of thousands.
Another incident targeted the Amazon Q extension for Visual Studio Code. Malicious code submitted as a pull request was merged into the project, allowing commands that could erase a user’s home directory and delete all AWS resources. According to Amazon’s advisory, “Once we were made aware of this issue, we immediately revoked and replaced the credentials, removed the unapproved code from the codebase, and subsequently released Amazon Q Developer Extension version 1.85 to the marketplace.”
These incidents highlight ongoing risks in open-source software supply chains, where attackers exploit public repositories to insert malware into widely used developer tools.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Apple Q3 Earnings Preview: Stock Rises as AI, Tariffs Loom
- Speculation Swirls Over Source of BSTR’s 30,021 BTC Treasury
- DOJ Seeks Forfeiture of $2.3M Bitcoin From Chaos Ransomware Group
- Spiko Raises $22M, Nears Top 5 in Tokenized MMF With $400M AUM
- Bitcoin Surges After $9B Shock, Analysts Predict Cycle Is Over
