Grafana GitHub Token Breach Leads to Codebase Download and Extortion Attempt
Grafana Labs disclosed that an unauthorized party accessed its GitHub environment using a stolen token, enabling the download of the company's source code.
Grafana Labs has confirmed that an unauthorized party gained access to its GitHub environment after obtaining a compromised token. The breach allowed the attacker to download the company's codebase, raising concerns about the potential for intellectual property theft and the exposure of sensitive development artifacts.
Upon discovering the incident, Grafana initiated an investigation to determine the scope of the unauthorized access. The company stated that no customer data or personal information was accessed during the breach, and there is currently no evidence that the attacker was able to impact customer systems or operational environments. The compromised token has been revoked, and the company is taking steps to secure its development infrastructure against similar future incidents.
This incident serves as a reminder of the critical importance of securing CI/CD pipelines and developer access tokens. As organizations increasingly rely on cloud-based development platforms, the security of these environments becomes a primary target for threat actors seeking to gain deeper access to corporate assets. Grafana's experience highlights the necessity of implementing strict access controls, monitoring for anomalous activity in developer environments, and ensuring that tokens are managed with the principle of least privilege.
In a new disclosure, Grafana Labs confirmed the attacker threatened to release the stolen code unless a ransom was paid, but the company stated it will not pay, citing FBI guidance that paying ransoms does not guarantee data recovery and incentivizes further criminal activity. The company emphasized that no customer data or personal information was accessed and found no evidence of impact on customer systems. Grafana has invalidated the compromised credentials and implemented additional security measures, though it remains unclear whether the exfiltrated code includes proprietary components beyond its already open-source products.
Grafana confirmed that the intrusion was enabled by a compromised GitHub token, which allowed the Coinbase Cartel group to download the company's source code. The attackers have demanded a ransom to prevent public release of the code, but Grafana has refused to pay and has since reset the compromised credentials. The company stated that no customer or personal data was stolen and that customer systems remain unaffected, while a forensic investigation is ongoing.
The attackers have threatened to leak the stolen codebase unless Grafana Labs pays a ransom, but the company has publicly stated it will not comply, citing FBI guidance that paying ransoms does not guarantee data recovery and incentivizes further criminal activity. The cyber-extortion group Coinbase Cartel has claimed responsibility for the breach. Grafana Labs has invalidated the compromised credentials and implemented additional security measures, while its investigation continues.
The extortion gang CoinbaseCartel has claimed responsibility for the breach, listing Grafana on its data leak site, though no stolen data has been published yet. Grafana confirmed it refused to pay the ransom, citing FBI guidance that paying encourages further attacks. The gang, which researchers link to ShinyHunters and Lapsus$ affiliates, has posted over 100 victims since launching last September.
Grafana now reveals that the breach originated from a missed GitHub workflow token rotation after the TanStack npm supply-chain attack. The token was exfiltrated when Grafana's CI/CD pipeline consumed a malicious TanStack package, and although the company rotated most tokens on May 1, one was overlooked, allowing the attacker to access private repositories. The intruder also downloaded business contact names and email addresses, though Grafana stresses no customer production data or cloud systems were compromised.