It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users.
The latest target, according to security firm Socket, is JavaScript code available on repository npm. A total of 10 packages available from the npm page belonging to global talent agency Toptal contained malware and were downloaded by roughly 5,000 users before the supply-chain attack was detected. The packages have since been removed. This was the third supply-chain attack Socket has observed on npm in the past week.
Poisoning the well
The hackers behind the attack pulled it off by first compromising Toptal’s GitHub Organization and from there using that access to publish the malicious packages on npm.
