"After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business. This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform."
"We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories. A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised."
"The company said it subsequently received an extortion demand from an unnamed threat actor on May 16, but opted against paying the ransom as there is no guarantee that the stolen data would actually be deleted, and could act as a catalyst for future campaigns."
"Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along with internal GitHub repositories."
An investigation found no evidence that customer production systems or operations were compromised. The incident scope was limited to the Grafana Labs GitHub environment, including public and private source code and internal GitHub repositories used for collaboration and storage of internal operational information. Downloaded content included business contact names and email addresses used in professional relationship contexts, not information pulled from or processed through production systems or the Grafana Cloud platform. The breach originated from the TanStack npm supply chain attack orchestrated by TeamPCP, detected on May 11, 2026. Grafana rotated many GitHub workflow tokens, but a missed token enabled access. A later review confirmed another workflow was compromised. An extortion demand arrived May 16, but no ransom was paid. Subsequent actions included rotating automation tokens, enhancing monitoring, auditing commits, and improving GitHub security posture.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]