Hackers compromised Toptal's GitHub organization account, gaining access to publish ten malicious packages on the Node Package Manager (NPM) index. These packages included data-stealing code that collected GitHub authentication tokens and wiped victims' systems. The attackers made 73 private repositories public, exposing private projects and source code. The malicious packages were downloaded roughly 5,000 times before being detected, potentially infecting developers with malware.
TPRM report: https://scoringcyber.rankiteo.com/company/toptal
"id": "top341072525",
"linkid": "toptal",
"type": "Breach",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Freelance Talent Marketplace',
'name': 'Toptal',
'type': 'Company'}],
'attack_vector': ['GitHub Account Compromise', 'NPM Package Compromise'],
'data_breach': {'data_exfiltration': True,
'type_of_data_compromised': ['GitHub authentication tokens']},
'date_detected': '2023-07-23',
'description': "Hackers compromised Toptal's GitHub organization account and "
'used their access to publish ten malicious packages on the '
'Node Package Manager (NPM) index.',
'impact': {'data_compromised': ['GitHub authentication tokens'],
'systems_affected': ['Developer systems infected with malware']},
'investigation_status': 'Ongoing',
'motivation': ['Data Theft', 'System Wipe'],
'post_incident_analysis': {'corrective_actions': ['Deprecated malicious '
'packages',
'Reverted to safe versions'],
'root_causes': ['GitHub account compromise',
'NPM package compromise']},
'recommendations': ['Revert to a previous stable version if any of the '
'malicious packages were installed'],
'references': [{'source': 'BleepingComputer'}],
'response': {'containment_measures': ['Deprecated malicious packages',
'Reverted to safe versions']},
'title': 'Toptal GitHub and NPM Account Compromise',
'type': 'Supply Chain Attack'}