Full Report
Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along with internal GitHub repositories. "After the initial assessment, we found that in addition to source
Analysis Summary
# Incident Report: Grafana Labs GitHub Supply Chain Breach
## Executive Summary
Grafana Labs suffered a security breach originating from a widespread supply chain attack on the TanStack npm package. Overlooked GitHub workflow tokens allowed threat actors to access and exfiltrate internal repositories, including private source code and business contact information. Despite receiving an extortion demand, Grafana reported no compromise of customer production systems or the Grafana Cloud platform.
## Incident Details
- **Discovery Date:** May 11, 2026
- **Incident Date:** May 11, 2026 (Initial activity detection)
- **Affected Organization:** Grafana Labs
- **Sector:** Information Technology / Software Development (Data Visualization)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-May 11, 2026
- **Vector:** Supply Chain Attack
- **Details:** Attackers (attributed to TeamPCP) compromised the TanStack npm package. Grafana environment was infected through this dependency, leading to the exposure of GitHub workflow tokens.
### Lateral Movement
- **Technique:** Secret/Token Misuse
- **Details:** Following the initial rotation of tokens, a "missed token" in a GitHub workflow (originally deemed non-impacted) allowed attackers to maintain and escalate access to the broader GitHub environment.
### Data Exfiltration/Impact
- **Date/Time:** Between May 11 and May 16, 2026
- **Details:** Attackers downloaded public and private source code, internal operational repositories, and business contact information (names and email addresses).
### Detection & Response
- **May 11:** Initial detection of suspicious activity; first round of token rotations performed.
- **May 15:** A ransomware crew named "CoinbaseCartel" listed Grafana Labs on their dark web leak site.
- **May 16:** Grafana received an extortion demand from the threat actor.
- **May 19:** Grafana issued a public update confirming the scope of the breach and their refusal to pay the ransom.
## Attack Methodology
- **Initial Access:** Supply chain compromise (TanStack npm package).
- **Persistence:** Use of an overlooked GitHub workflow automation token.
- **Privilege Escalation:** Not explicitly detailed, but involved gaining access to internal repositories via token permissions.
- **Credential Access:** Theft of GitHub workflow tokens via malicious npm package execution.
- **Collection:** Gathering of internal GitHub repositories and business contact data.
- **Exfiltration:** Unauthorized download of public/private source code and internal documentation.
- **Impact:** Data extortion (Unsuccessful ransom attempt).
## Impact Assessment
- **Financial:** No specific costs disclosed; ransom demand was refused.
- **Data Breach:** Compromise of private source code and internal operational data. Includes business PII (contact names/emails).
- **Operational:** No disruption to customer production systems or Grafana Cloud.
- **Reputational:** Public disclosure of source code exposure and listing on a dark web extortion site.
## Indicators of Compromise
- **Infected Package:** TanStack npm package (Versions/Hashes not specified in the article).
- **Threat Actors:** TeamPCP (Attribution for npm attack), CoinbaseCartel (Attribution for extortion).
- **Behavioral:** Unusual GitHub repository cloning activity and workflow executions.
## Response Actions
- **Containment:** Repeated rotation of all GitHub automation and workflow tokens.
- **Eradication:** Revocation of the specific missed token that enabled the persistent breach.
- **Recovery:** Implementation of enhanced monitoring and auditing of all commits for malicious activity.
- **Policy:** Refusal to engage in ransom negotiations.
## Lessons Learned
- **Inventory Gaps:** A "missed token" in a workflow deemed low-risk highlights the danger of incomplete secret management audits.
- **Dependency Risks:** Supply chain attacks on popular npm packages (like TanStack) can bypass traditional perimeter defenses.
- **Internal Info:** Internal GitHub repositories often hold more than just code; they can serve as repositories for sensitive business operations data.
## Recommendations
- **Automated Secret Scanning:** Implement tools to automatically identify and rotate all secrets across all GitHub workflows, regardless of perceived impact.
- **Software Bill of Materials (SBOM):** Enhance visibility into third-party npm dependencies to track and block compromised versions faster.
- **Zero Trust for CI/CD:** Move toward short-lived, identity-based credentials for GitHub Actions instead of long-lived static tokens.
- **Enhanced Monitoring:** Establish baseline behavior for repository access to flag mass-downloading or cloning events in real-time.