Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Source: The Hacker News

Overview

On May 19, 2026, Grafana Labs announced that an investigation into a recent breach found no evidence of customer production systems or operations being compromised. The incident was limited to the Grafana Labs GitHub environment, which includes both public and private source code as well as internal repositories.

Details of the Breach

• The breach originated from the TanStack npm supply chain attack orchestrated by the threat actor group TeamPCP. This same campaign also targeted OpenAI and Mistral AI and was first detected by Grafana on May 11, 2026.
• Attackers accessed GitHub workflow tokens, and a missed token allowed them to gain entry to Grafana’s repositories.
• The compromised data included source code, internal operational information, business contact names, and email addresses—information exchanged in a professional context, not data from production systems or the Grafana Cloud platform.

Extortion Attempt

• On May 16, 2026, Grafana received an extortion demand from an unnamed threat actor. The company chose not to pay the ransom, citing the lack of guarantee that the stolen data would be deleted and the risk of encouraging future attacks.
• A data‑extortion crew known as CoinbaseCartel listed Grafana Labs on its dark‑web site on May 15, 2026.

Response and Mitigation

Grafana Labs took several immediate and longer‑term actions:

1. Rotated automation tokens and performed a comprehensive token audit.
2. Implemented enhanced monitoring of GitHub activity.
3. Audited all commits for signs of malicious code or modifications.
4. Strengthened overall GitHub security posture, including stricter access controls and workflow reviews.

Related Threat Activity

• GitHub has announced its own investigation into unauthorized access to its internal repositories after TeamPCP listed GitHub’s source code and internal organizations for sale on a cybercrime forum.

References

• Grafana Labs security update (official blog)
• The Hacker News – Grafana GitHub token breach
• The Hacker News – TanStack supply chain attack
• The Hacker News – GitHub investigation of TeamPCP