“No Toptal customer, company, or individual was affected by this incident.”
Attackers hijacked Toptal’s GitHub organization and embedded malware in 10 npm packages that could steal auth tokens and install backdoors. About 5,000 downloads occurred before it was caught, though Toptal claims most were automated security scans. The company recently laid off 70% of its engineering team, which probably has nothing to do with how attackers gained access. Toptal declined to explain how the compromise happened or when it started. Nothing says “we have this under control” like refusing to answer basic questions about a supply chain attack.