Toptal has inadvertently spread malware after attackers hacked its GitHub account, affecting its Picasso developer toolbox. The malicious code was found in package.json files, allowing hijackers to steal GitHub tokens and maintain access to compromised accounts. Ten out of 73 public repositories were identified as compromised. Security experts recommend affected users check for malicious scripts, rotate authentication tokens, and scan their systems for destructive commands. Organizations should audit their npm logs to identify pulled compromised versions of the packages.
"Our analysis identified malicious code in 10 packages out of the 73 repositories that went public. While our comprehensive scanning didn't detect additional malicious packages beyond these 10, we always recommend thorough verification as is part of security best practices," Kush Pandya, a Socket researcher.
"For anyone who may have installed these packages, we advise immediately checking for malicious lifecycle scripts in package.json files, rotating any GitHub authentication tokens that might have been exposed, and scanning systems for signs of the destructive commands ( sudo rm -rf --no-preserve-root / on Unix systems)."
"Toptal bills itself as an elite software developer freelance business where every applicant is rigorously tested and vetted."
"Yet it seems its security may not be as carefully maintained, at least according to a report by security biz Socket that found it has been pushing out malware to around 5,000 users after unknown miscreants hijacked its GitHub account and placed malware in Toptal's Picasso developer toolbox."
Collection
[
|
...
]