Article Details

Freelance dev shop Toptal caught serving malware after GitHub account break-in. Malicious code lurking in over 5,000 downloads, says Socket researcher. Developer freelancing platform Toptal has been inadvertently spreading malicious code after attackers broke into its systems and began distributing malware through developer accounts. Toptal bills itself as an elite software developer freelance business where every applicant "is rigorously tested and vetted." Yet it seems its security may not be as carefully maintained, at least according to a report by security biz Socket that found it has been pushing out malware to around 5,000 users after unknown miscreants hijacked its GitHub account and placed malware in Toptal's Picasso developer toolbox. The attack code, embedded in package.json files, gave the hijackers the ability to steal GitHub authentication tokens, maintain persistent access on hijacked accounts, and set up a backdoor that would allow more malware to be downloaded. Socket identified the following npm packages as compromised: "Our analysis identified malicious code in 10 packages out of the 73 repositories that went public. While our comprehensive scanning didn't detect additional malicious packages beyond these 10, we always recommend thorough verification as is part of security best practices," Kush Pandya, a Socket researcher, told The Register. "For anyone who may have installed these packages, we advise immediately checking for malicious lifecycle scripts in package.json files, rotating any GitHub authentication tokens that might have been exposed, and scanning systems for signs of the destructive commands (sudo rm -rf --no-preserve-root / on Unix systems). Organizations should review their npm audit logs and dependency lock files to identify if any of the compromised versions were pulled into their projects." Socket contacted Toptal, and Pandya said the company took the infected repositories down quickly, but hasn't yet provided a timeline for when the attacks started, which would help potential victims know whether they were at risk or not. However, one report noted the Picasso file swaps on Monday. Toptal has not responded to our questions for more detail about that nor how the attackers got in. Socket said: Toptal responded quickly once the compromise was identified and deprecated the malicious package versions and reverted to their last stable versions, preventing further distribution of the malicious code. This rapid response likely prevented significant additional damage to the developer community. Socket's team contacted Toptal regarding this incident but have not received a response at the time of publication. "Our analysis hasn't identified the initial compromise vector," Pandya told us. "We've examined the attack patterns and compared them to recent npm supply chain attacks like the phishing campaigns that hit prettier and the 'is' package hijacking." On Tuesday, Socket reported that the "is" npm package was also infected with JavaScript malware that was capable of running on Windows, macOS and Linux. Similar malware was also found in the prettier code formatter. "The tight five-minute window for the repository changes suggests either automated tooling or someone with elevated access, but without additional forensic evidence from Toptal's side, we can't determine whether this was credential compromise, insider threat, or a variant of the ongoing phishing campaigns," Pandya said. This isn't the first time attackers have attempted such an intrusion, and npm packages are becoming an increasingly popular target. The use of AI to help coders isn't helping, since similar package poisoning attacks have been used against so-called smart AI coding systems. GitHub is under increasing levels of attack from typosquatting techniques, and they are proving difficult to stop. The only answer is to check and check again, but that requires getting past the Layer Eight (ie, human) barrier, and that's never really worked. Last year, Toptal reportedly laid off 70 percent of its engineering team. This may not have been a smart decision in light of this week's events.