Grafana Labs Confirms Source Code Stolen in GitHub Breach, Refuses Ransom Demand
Grafana Labs confirmed that attackers stole proprietary source code from its GitHub repositories after compromising a token, but said no customer data or cloud services were affected.
Grafana Labs, the company behind the popular open-source analytics and visualization platform Grafana, confirmed on Tuesday that attackers breached its GitHub environment and stole proprietary source code. The incident, disclosed via a series of posts on X, involved an unauthorized party obtaining a token that granted access to the company's GitHub repositories, enabling them to download the codebase.
The company stated that its investigation found no evidence that customer data, personal information, or Grafana Cloud services were compromised. "We have found no evidence of impact to customer systems or operations," Grafana Labs said. The firm immediately initiated forensic analysis and identified the source of the credential leak, subsequently invalidating the compromised token and implementing additional security measures to prevent further unauthorized access.
Grafana Labs also revealed that the threat actors demanded a ransom payment in exchange for not releasing the stolen source code. The company declined to pay, citing the FBI's published stance that paying ransoms does not guarantee data recovery and only incentivizes further criminal activity. "Based on our operational experience and the published stance of the FBI... we've determined the appropriate path forward is to not pay the ransom," the company explained.
Reports suggest that a relatively new extortion gang known as "CoinbaseCartel" may be responsible for the breach. The group has been linked to several recent source code thefts targeting technology firms. Grafana Labs has promised to share more details about how the breach occurred as its investigation progresses.
Security experts praised Grafana Labs' response, noting that the company appears to be following best practices for incident handling. Brian Higgins, security specialist at Comparitech, said, "It looks like Grafana were well prepared for a breach and are following all of the playbook protocols you would expect." He added that the incident underscores the importance of securing vendor access and supply chain structures, which remain high-value targets for attackers.
Grafana Labs serves over 7,000 global customers, including major technology companies such as Anthropic, NVIDIA, Salesforce, and Microsoft. The breach highlights the ongoing risk of credential theft and supply chain attacks targeting developer environments, even for well-resourced organizations. The company's decision to refuse the ransom aligns with law enforcement recommendations and may set a precedent for how similar incidents are handled in the future.
Grafana Labs confirmed on May 19 that the breach originated from the TanStack npm supply-chain attack, which allowed the threat actor to access the company's GitHub environment and steal both public and private source code. The company stated that no customer production systems or operations were compromised, and the investigation remains ongoing.