Grafana GitHub Source Code Exfiltration via TanStack npm Supply Chain Attack — IR Guide

On May 19, 2026, Grafana Labs disclosed a significant security incident confirming that their GitHub environment was breached, leading to the exfiltration of public and private source code. The root cause was identified as a supply chain attack targeting the TanStack ecosystem of npm packages.

While Grafana states there is currently no evidence of customer production systems being compromised, the breach of source code repositories poses a severe risk for intellectual property theft and future supply chain injections. For defenders, this incident is a critical indicator that the software build and development environments—often softer targets than production—must be hardened with the same rigor as production infrastructure.

Technical Analysis

• Affected Products/Platforms: Development environments utilizing npm (Node Package Manager), specifically CI/CD pipelines or local developer workstations pulling the latest TanStack packages (e.g., React Query, Router, Table) during the compromise window.
• Threat Vector: Dependency Confusion / Malicious Package Injection. Attacker(s) published malicious versions of legitimate packages to the npm registry.
• Attack Mechanism (Defender View): The malicious packages contained malicious postinstall scripts. Upon execution (triggered automatically during npm install), these scripts likely:
  1. Scanned the file system for configuration files (.npmrc, .gitconfig, SSH keys).
  2. Exfiltrated discovered secrets (GitHub OAuth tokens, SSH private keys) to a command-and-control (C2) server.
  3. Used the exfiltrated credentials to clone and access private repositories within the Grafana GitHub organization.
• Exploitation Status: Confirmed Active Exploitation. This is not theoretical; Grafana has verified unauthorized access to their GitHub environment as a direct result of this package.

Detection & Response

Detecting supply chain attacks requires visibility into the build pipeline and endpoint behavior. Standard anti-virus often misses these attacks because the parent process (npm) is trusted. Defenders must look for child processes (node, bash) spawned during package installation that perform unexpected network or file operations.

Sigma Rules

The following rules detect the anomalous behavior associated with malicious npm packages executing postinstall scripts.

---
title: Potential Malicious NPM Postinstall Script Activity
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects Node.js processes spawned by npm that establish network connections, typical of malicious postinstall scripts exfiltrating data.
references:
  - https://thehackernews.com/2026/05/grafana-github-breach-exposes-source.html
author: Security Arsenal
date: 2026/05/19
tags:
  - attack.execution
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated|contains: 'true'
    Image|endswith:
      - '\node.exe'
      - '\nodejs.exe'
  parent_process:
    ParentImage|endswith:
      - '\npm.cmd'
      - '\npm-cli.js'
  filter_legit_registry:
    DestinationPort|startswith:
      - '443'  # Assuming registry traffic is usually 443, but we check specific destination logic in refinement
      - '80'
  condition: selection and parent_process
falsepositives:
  - Legitimate build agents connecting to private registries or dependency APIs during install (rare for most packages).
level: high
---
title: NPM Spawning Shell or Scripting Processes
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects npm spawning powershell, cmd, or bash, which is highly suspicious behavior for a package installation routine.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/19
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\npm.cmd'
      - '\npm-cli.js'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\bash.exe'
      - '\wscript.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Developer tools running scripts (rare during standard install).
level: critical

KQL (Microsoft Sentinel)

Hunt for suspicious network activity originating from build agents or developer endpoints triggered by package management processes.

// Hunt for NPM/Node processes making outbound connections
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("npm.cmd", "npm", "node.exe")
| where FileName in~ ("node.exe", "curl.exe", "wget.exe", "powershell.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, CommandLine, AccountName, FolderPath
| where isnotempty(InitiatingProcessCommandLine)
| sort by Timestamp desc

Velociraptor VQL

Hunt for the presence of the specific malicious package versions or suspicious environment variables on Linux endpoints.

-- Hunt for TanStack package versions in package-lock.
SELECT FullPath, Mtime, Size
FROM glob(globs='*/package-lock.')
WHERE readFile(Path=FullPath)
   =~ 'tanstack'  
   AND readFile(Path=FullPath) =~ 'postinstall'

Remediation Script (Bash)

Use this script to audit your Linux/Unix development environments for the presence of potentially compromised TanStack packages and to check for exposed GitHub tokens.

#!/bin/bash

# Audit for TanStack npm compromise
# Author: Security Arsenal

 echo "[+] Scanning for TanStack package references..."

# Find package-lock. files
echo "[+] Checking package-lock. files for recent TanStack versions..."
find /home -name "package-lock." -type f 2>/dev/null | while read -r file; do
    if grep -q "@tanstack" "$file"; then
        echo "[!] Found TanStack dependency in: $file"
        # Display the specific versions found
        grep -A 2 "@tanstack" "$file"
    fi
done

# Check for environment variables that might be leaked
echo "[+] Checking for exposed GitHub tokens in environment..."
if env | grep -qi "ghp_"; then
    echo "[!] WARNING: GitHub Token detected in environment variables of this shell!"
    env | grep "ghp_"
fi

# Check npm logs for recent installs
echo "[+] Checking recent npm install logs..."
if [ -f "$HOME/.npm/_logs" ]; then
    ls -lt "$HOME/.npm/_logs" | head -n 10
fi

echo "[+] Audit complete. If suspicious versions are found, force update packages: npm update @tanstack/react-query @tanstack/react-router --force"

Remediation

1. Immediate Credential Rotation: Assume that any SSH keys or OAuth tokens present in the environment during the npm install are compromised. Rotate all GitHub Personal Access Tokens (PATs), SSH keys, and deploy keys used by the affected CI/CD pipelines and developer accounts.
2. Package Updates: Force update all TanStack dependencies to the latest, patched versions. Delete package-lock. and node_modules directories, then run npm install to ensure clean retrieval. bash rm -rf node_modules package-lock.

    npm install

3. Audit GitHub Logs: Review the "Security" tab in GitHub organization settings. Look for access logs from unfamiliar IP addresses or automated script executions during the compromise window (around May 19, 2026).
4. Code Integrity Verification: Since source code was accessed, verify that no malicious code was injected into your repositories during the breach window. Compare current tags against known-good backups.
5. Restrictive npm Scoping: Configure .npmrc to only allow scoped packages or specific registries, and consider implementing audit tools like npm audit or Snyk in the pre-build hook to catch malicious packages before execution.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub