
Research
/Security News
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Sarah Gooding
July 22, 2025
A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects.
The vulnerability, classified as “Use of Insufficiently Random Values,” affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks. While not all applications are directly exposed, projects that rely on form-data
for sensitive form submissions or file uploads could face unexpected behavior if they remain on vulnerable versions.
Maintainers have released patches, but a large portion of projects remain vulnerable due to outdated versions or pinned dependencies.
The issue, tracked as CWE-330 (Use of Insufficiently Random Values), stems from the package’s unsafe method for generating boundary values in multipart/form-data requests. This weakness could allow attackers to manipulate HTTP request boundaries, enabling data injection or parameter pollution under certain conditions.
According to the security advisory, the following versions are vulnerable:
The patched versions are 2.5.4, 3.0.4, and 4.0.4. Developers are strongly advised to update immediately or, where possible, migrate to the built-in FormData
implementation available in Node.js 18+ and all modern browsers.
The vulnerability was reported by Ben Shonaldmann, who also contributed to the remediation. Longtime Node.js and npm maintainer Jordan Harband reviewed the fix, ensuring a reliable patch for all affected versions.
Despite the availability of native FormData
APIs, the form-data
package remains deeply embedded in the Node.js ecosystem, serving as a dependency for many older tools and frameworks. With over 100 million downloads per week, this vulnerability puts a spotlight on the risks of relying on legacy packages.
source: https://npm.chart.dev/form-data
This issue also aligns with growing concerns about outdated Node.js versions. As Matteo Collina, a Node.js TSC member, highlighted in his recent JSNation keynote, many developers are still using end-of-life Node.js releases (like v12, v16, and v18) that no longer receive security patches. Collina warned that this combination of unsupported Node.js versions and outdated dependencies creates a dangerous surface for attacks.
The form-data
vulnerability is a reminder that even widely trusted, long-standing npm packages can introduce critical security risks if left unmaintained or unpatched. Projects that use older form-data
versions in production are particularly vulnerable, especially if coupled with outdated Node.js environments.
Developers who are using the form-data package should:
form-data
(2.5.4+, 3.0.4+, or 4.0.4+).FormData
APIs in modern Node.js versions where feasible, reducing reliance on third-party packages.The form-data issue is a reminder that as long as older Node.js versions remain widely used, vulnerabilities in foundational packages can have an outsized impact, especially when outdated environments delay the adoption of built-in, more secure APIs.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Research
/Security News
Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.
Security News
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.