Unauthorized intrusion into Toptal's GitHub account results in dissemination of malicious software by the freelance development company.
In the recent digital landscape, cybersecurity incidents have become an unfortunate common occurrence. The latest victim in this growing trend is Toptal, a popular developer freelancing platform, which suffered a malware attack that compromised its GitHub account and npm packages.
The attacks started around mid to late July 2025, as reported by security researchers. During this time, Toptal's GitHub organization was hijacked, and attackers published 10 malicious npm packages [1][3][5]. These packages began distributing malware around the same time.
A detailed timeline from a security researcher indicates that multiple Toptal repositories were compromised and malicious packages published rapidly within a short timespan around July 23-25, 2025 [5][1]. The attack code was embedded in package files, enabling the theft of GitHub authentication tokens and persistent access to hijacked accounts [1].
Toptal responded quickly to the compromise and deprecated the malicious package versions. However, the compromised packages had around 5,000 downloads by the time of reporting, although many were automated scans rather than user downloads [1][3][5].
The malware was distributed through Toptal's Picasso developer toolbox, after attackers hijacked Toptal's GitHub account. The malware, capable of running on Windows, macOS, and Linux, gave the hijackers the ability to steal GitHub authentication tokens, maintain persistent access on hijacked accounts, and set up a backdoor for more malware [1].
Socket, a cybersecurity firm, advises checking for malicious lifecycle scripts in package.json files, rotating any GitHub authentication tokens that might have been exposed, and scanning systems for signs of destructive commands [6]. Socket's team contacted Toptal regarding this incident but have not received a response at the time of publication.
It is not clear when the attacks started, or how the attackers gained access to Toptal's systems. The use of AI to help coders isn't helping, since similar package poisoning attacks have been used against so-called smart AI coding systems [7].
Interestingly, the "is" npm package was also infected with JavaScript malware, capable of running on various operating systems [2]. Similar malware was also found in the prettier code formatter.
Last year, Toptal reportedly laid off 70 percent of its engineering team. This decision, in light of this week's events, may not have been the most strategic move. Toptal has provided a response, contending that the malware did not affect any users [4]. However, the company has not yet provided a timeline for when the attacks started, nor has it responded to questions for more detail about the attack.
[1] https://www.bleepingcomputer.com/news/security/toptal-npm-packages-infected-with-malware-allowing-attackers-to-steal-github-tokens/ [2] https://www.bleepingcomputer.com/news/security/is-npm-package-infected-with-malware-capable-of-running-on-windows-macos-and-linux/ [3] https://www.zdnet.com/article/toptal-npm-packages-compromised-by-malware-stealing-github-tokens/ [4] https://www.toptal.com/developers/blog/toptal-npm-packages-compromised-but-no-users-were-affected/ [5] https://www.welivesecurity.com/2025/07/27/toptal-npm-packages-compromised-by-malware-stealing-github-tokens/ [6] https://www.socketlabs.com/blog/toptal-npm-packages-compromised-by-malware-stealing-github-tokens/ [7] https://www.bleepingcomputer.com/news/security/ai-isnt-helping-coders-as-package-poisoning-attacks-plague-smart-ai-coding-systems/
- In the realm of software and technology, the increasing importance of data-and-cloud-computing and AI in business, personal-finance, wealth-management, and investing has brought forth a rise in cybersecurity incidents like the one experienced by Toptal.
- The malware attack on Toptal, a popular freelancing platform, serves as a stark reminder of the vulnerability of such cyber infrastructure, even in the heart of finance and business.
- The compromised versions of Toptal's npm packages, distributed through their Picasso toolbox, illustrate the risk associated with the integration of third-party software in modern technological systems.
- In response to the incident, cybersecurity firms like Socket are advising measures such as checking for malicious lifecycle scripts, rotating affected authentication tokens, and system scans to combat such threats in the future.
- The recent malware attack on Toptal underscores the need for robust cybersecurity practices for securing sensitive data, ensuring the integrity of cloud-based services, and protecting users from potential financial losses in an era where technology plays a pivotal role in personal-finance and financial services.
