Busy week of supply-chain attacks: Targeted open source software in public repos. Successful breaches of developer accounts led to malicious packages being pushed to users.

• Latest target: JavaScript code on npm repository of global talent agency Toptal. 10 malicious packages were detected and removed after being downloaded by about 5,000 users. This was the third such attack on npm in a week.

Attack details:

• Hackers compromised Toptal's GitHub Organization and used that access to publish malicious packages on npm. The exact relationship between GitHub repo changes and npm package publishing is unclear.
• Malicious payload had two stages: extracted target's GitHub auth token and sent it to an attacker-controlled endpoint; after exfiltrating credentials, tried to delete the target's device's filesystem.
• Socket reported three attacks last week: one on npm account compromising three packages through phishing attack using a typosquatted domain; also compromised an npm package 'is' with 2.8 million weekly downloads.