Grafana Labs announced on May 19, 2026 that an investigation into a recent breach found no evidence that any of its customers’ production systems or operations were compromised.
The scope of the incident is limited to Grafana Labs’ GitHub environment, which includes public and private source code and internal GitHub repositories.
“After an initial assessment, we determined that the downloaded content, in addition to source code, included GitHub repositories used by some Grafana Labs teams to collaborate and store internal operational information and other details about our business,” the company said.
“This includes business contact names and email addresses exchanged in the course of business relationships, but does not include information obtained or processed through production systems or use of the Grafana Cloud platform.”
The open source visualization software maker also noted that this breach stemmed from a TanStack npm supply chain attack orchestrated by TeamPCP, which also attacked OpenAI and Mistral AI, and that it detected this activity on May 11, 2026.
“We performed analysis and quickly rotated a large number of GitHub workflow tokens, but the tokens were missing, allowing the attacker to access our GitHub repositories.” “Subsequent investigation confirmed that certain GitHub workflows that were initially thought to be unaffected were in fact compromised.”
The company later said it received an extortion request from an anonymous attacker on May 16, but did not agree to pay the ransom because there was no guarantee that the stolen data would actually be deleted and could serve as a springboard for future attacks.
Since then, Grafana has taken steps to strengthen the overall GitHub security posture, including automated token rotation, implementing enhanced monitoring, and auditing all commits for signs of malicious activity.
It is worth mentioning here that a data extortion team named CoinbaseCartel listed Grafana Labs on their dark website on May 15, 2026. Hacker News has contacted Grafana for comment and will update the article if we hear back.
The development comes after GitHub announced it was investigating unauthorized access to its internal repositories after a notorious threat actor known as TeamPCP listed the platform’s source code and internal organization for sale on a cybercrime forum.
Source link
