## Toptal’s GitHub Account Compromised: A Disturbing Trend in Software Supply Chain Security
In a recent incident shedding light on vulnerabilities in software supply chains, unidentified threat actors successfully breached Toptal’s GitHub organization account. Utilizing this unauthorized access, they published ten malicious packages to the npm registry, raising significant alarms in the development community.
### Malicious Packages Exposed
The malware-laden packages were found to contain destructive code aimed at exfiltrating GitHub authentication tokens while also potentially damaging the victim’s systems. According to a report from Socket, 73 repositories affiliated with Toptal were made publicly accessible in the wake of this breach.
#### List of Affected Packages
The following npm packages were found to be compromised:
– @toptal/picasso-tailwind
– @toptal/picasso-charts
– @toptal/picasso-shared
– @toptal/picasso-provider
– @toptal/picasso-select
– @toptal/picasso-quote
– @toptal/picasso-forms
– @xene/core
– @toptal/picasso-utils
– @toptal/picasso-typograph
Each of these packages contained identical payloads within their respective package.json files. Before their removal, these malicious packages attracted approximately 5,000 downloads.
### Mechanisms of Attack
The injected code was specifically designed to exploit the preinstall and postinstall scripts. It aimed to exfiltrate GitHub authentication tokens to a webhook endpoint while simultaneously deleting all files and directories on both Windows and Linux systems without requiring user interaction. The commands used to execute these deletions included “rm /s /q” for Windows and “sudo rm -rf –no-preserve-root /” for Linux.
As of this writing, the precise method of the compromise remains undisclosed. It could potentially range from compromised credentials to a rogue insider with access to Toptal’s GitHub account. Fortunately, Toptal has since reverted all affected packages to secure versions.
### Concurrent Supply Chain Attacks
This alarming breach aligns with other recent supply chain attacks that have targeted both npm and the Python Package Index (PyPI) repositories. These incidents featured surveillance software capable of infecting developers’ machines with malware that could log keystrokes, take screenshots, capture webcam images, and harvest system information and credentials.
#### Identified Compromised Packages
Several additional packages identified in these attacks include:
– dpsdatahub (npm) – 5,869 downloads
– nodejs-backpack (npm) – 830 downloads
– m0m0x01d (npm) – 37,847 downloads
– vfunctions (PyPI) – 12,033 downloads
These malicious packages employed stealthy techniques, including invisible iframes and browser event listeners, to perform activities like keystroke logging and programmatic screen capture.
### The Amazon Q Extension Incident
Adding to the growing list of security challenges, the Amazon Q extension for Visual Studio Code was also compromised. A hacker, operating under the alias “lkmanka58,” successfully integrated malicious code that could erase user home directories and delete AWS resources. This rogue code was inadvertently included in the accepted pull requests for version 1.84.0 of the extension.
The hacker claimed their aim was to unveil the perceived security weaknesses within the company’s practices. Upon discovering the malicious code, Amazon promptly retracted the affected version and released an updated, secure version, 1.85.0.
### Amazon’s Response
In an advisory, Amazon confirmed that the unauthorized code modification did not impact any production services or end-users. They emphasized immediate steps taken to revoke credentials and purge the unapproved code from the repository.
> “Security researchers reported a potentially unapproved code modification was attempted in the open-source VSC extension that targeted Q Developer CLI command execution,” the company stated.
This resurgence of malicious activities within the software supply chain emphasizes the critical need for stringent security protocols and vigilance in monitoring open-source ecosystems. With an increasing number of developers relying on such tools, the risks posed by these cybercriminals cannot be overlooked.
