Grafana Labs has disclosed a focused GitHub safety incident linked to the continuing TanStack npm provide chain ransomware marketing campaign, elevating considerations about software program growth pipeline safety and token administration practices.
The corporate confirmed that attackers gained unauthorized entry to its GitHub repositories after exploiting a compromised workflow token. The breach, detected on Might 11, 2026, is related to the “Mini Shai-Hulud” marketing campaign, a broader provide chain assault that beforehand impacted TanStack npm packages.
In keeping with Grafana Labs, the attackers downloaded parts of its codebase. They later issued a ransom demand on Might 16, threatening to reveal the stolen knowledge publicly. The group has refused to pay the ransom, aligning with regulation enforcement steerage that daunts ransom funds.
Grafana GitHub Safety Incident
Grafana’s investigation signifies that the incident was contained inside its GitHub setting and didn’t influence customer-facing techniques or the Grafana Cloud platform.
Uncovered knowledge contains:
- Private and non-private supply code repositories
- Inner operational repositories used for group collaboration
- Enterprise contact info, resembling names {and professional} electronic mail addresses
The corporate emphasised that whereas the codebase was accessed and downloaded, there is no such thing as a proof of code tampering or malicious modifications.
The breach originated from a compromised GitHub Actions workflow token tied to the TanStack npm provide chain assault. Whereas Grafana initially rotated numerous tokens after detecting suspicious exercise, a minimum of one token was neglected.
Subsequent evaluation revealed {that a} GitHub workflow initially believed to be unaffected had, actually, been compromised. This allowed attackers to take care of entry and exfiltrate repository knowledge.
This case highlights a standard provide chain threat: incomplete credential rotation throughout incident response can depart residual entry factors for attackers.
Mitigation and Response
Grafana Labs initiated fast incident response measures, together with:
- Rotation of GitHub workflow and automation tokens
- Complete audit of commits and repository exercise since Might 11
- Enhanced monitoring and telemetry evaluation throughout GitHub environments
- Safety hardening of CI/CD pipelines
- Notification to federal regulation enforcement authorities
The corporate said that it’s persevering with forensic evaluation and can publish an in depth post-incident report as soon as the investigation concludes.
This incident underscores the rising menace of provide chain assaults concentrating on developer ecosystems, significantly npm packages and CI/CD workflows. Attackers more and more leverage compromised dependencies and automation tokens to pivot into enterprise environments.
For organizations, the Grafana case demonstrates the significance of:
- Full credential rotation throughout incident response
- Steady monitoring of CI/CD pipelines
- Strict entry management and token lifecycle administration
Regardless of the breach, Grafana reassured customers that no motion is required, as there is no such thing as a proof of influence to buyer techniques or providers.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
