Analyze your own packages withvet GitHub

grafana-sentry-datasource@1.0.4

Malicious
Verified
Analyzed at:1/11/2025, 1:00:31 AM
Source:https://registry.npmjs.org/grafana-sentry-datasource/-/grafana-sentry-datasource-1.0.4.tgz
SHA256:a216cccaedaaaa1c0a0f572e9fce3fccc2a8104ede3034e83e91c7f0c7775c2f
Confidence:High
Summary

This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.

Note: This report is updated by a verification record

Verification Record

The package is marked as malware by OSV: MAL-2025-43 with source: ghsa-malware

This package runs commands in a pre-install script that exfils sensitive data to a attacker-controlled domain.

-= Per source details. Do not edit below this line.=-

Source: ghsa-malware (f64ac119461c222b3a037a8fb79c1239e05e03cbce16d87f17ce6f1bb3a857a7)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Details

Note: This report is updated by a verification record

The package grafana-sentry-datasource (version 1.0.4) exhibits strong indicators of malicious behavior based on the collected evidence. The confluence of multiple independent sources pointing to the same malicious activity significantly increases the confidence level.

Here's a breakdown of the reasons:

  • Data Exfiltration: Both YARA analysis (Evidence 0, 1, 2, 3) and LLM-based analysis (Evidence 4) consistently identify the package's attempt to collect and upload sensitive system information to a hardcoded, suspicious domain (2loa642r71g33exv17ojvbtoifo6cx0m.oastify.com). The data exfiltrated includes home directory, user information, hostname, DNS servers, and the entire package.json content. This behavior is unequivocally malicious.

  • Hardcoded C2 Server: The consistent use of the same hardcoded domain across multiple evidence points (Evidence 2, 3, 4, 5) strongly suggests a command-and-control (C2) server. This server is likely used to receive stolen data or to receive further instructions from the attacker.

  • Suspicious Preinstall Script: Evidence 6 and 7 reveal a preinstall script in package.json that executes node index.js. This allows arbitrary code execution before the package's dependencies are installed, creating a significant vulnerability for malicious actions. This is a classic technique to inject malware before normal installation processes begin.

  • Lack of Project Information: Evidence 8 highlights the absence of source project information. While not conclusive on its own, this lack of transparency adds to the overall suspicion, especially when combined with the other evidence.

  • LLM Confirmation: The LLM-based analysis (Evidence 4 and 5) provides more accurate and context-rich assessments than YARA alone. The LLM's conclusions reinforce the findings from the YARA rules, significantly increasing confidence in the assessment.

The combination of data exfiltration, a hardcoded C2 server, a suspicious preinstall script, and the lack of project information paints a clear picture of malicious intent. The consistency across multiple analysis methods further strengthens the conclusion that this package is malware.