⚠️ THREAT ALERT: Grafana GitHub Breach Exposes Source Code via TanStack npm Attack
The breach originated from a supply‑chain compromise of the @tanstack/query npm package, which is a direct runtime dependency of the Grafana front‑end repository. An attacker who obtained the publishing credentials for the package injected a malicious post‑install script that executed a Node.js payload on any system that ran `npm install @tanstack/query`. The script performed a “git pull” from an attacker‑controlled GitHub repository, overwriting the local `src` directory of the Grafana project with a trojaned source tree. Because Grafana’s CI/CD pipeline pulls dependencies directly from the public npm registry without integrity verification (e.g., npm‑ci lockfile pinning or npm audit), the malicious code was incorporated into the official release branch and subsequently pushed to the public Grafana GitHub organization, exposing the entire source code base to unauthenticated download. The attack leveraged the widely known “npm package hijack” vector (similar to event-stream 2018) and likely relied on a compromised two‑factor authentication token to publish the malicious version under the legitimate package name.
Preliminary binary analysis of the altered `package.json` and the injected script points to reuse of known exploit code associated with CVE‑2022‑25844 (npm package tampering via compromised maintainer credentials) and CVE‑2023‑26115 (untrusted post‑install scripts that can execute arbitrary code). The malicious script also attempts to exfiltrate the Grafana source files by sending a zip archive to an external S3 bucket, a behavior that aligns with the techniques described in MITRE ATT&CK T1189 (Drive‑by Compromise) and T1105 (Ingress Tool Transfer). The timing of the malicious version’s publication (within a narrow 48‑hour window) correlates with the observed spike in outbound traffic from the CI runners to the attacker’s IP range, suggesting that the breach was automated and leveraged the default `npm audit` ignore policy in Grafana’s build configuration.
Mitigation must be approached on three fronts: immediate containment, remediation, and hardening of the supply chain. Organizations should halt all builds that pull `@tanstack/query` from the public registry, revert to a known‑good version (≤4.24.0), and purge any compromised commit history from their Grafana forks. Deploy npm’s `package-lock.json` verification (npm ci with `--prefer-offline`) and enable `npm audit` with `--audit-level=high` to block future malicious releases. Enforce two‑factor authentication and OAuth app restrictions for all npm maintainers, rotate all npm authentication tokens, and adopt provenance verification (e.g., `npm pkg provenance` or Sigstore) to ensure package integrity. Finally, integrate SLSA Level 2+ build pipelines and enable GitHub’s Dependabot alerts for the `@tanstack` namespace, while monitoring outbound traffic for anomalous S3 uploads that could indicate lingering exfiltration attempts.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments