← All articles

Grafana GitHub breach: codebase stolen, CoinbaseCartel extortion attempt refused

Grafana Labs says an attacker stole a token that gave access to its GitHub environment, downloaded the company's private codebase, and then demanded a ransom to keep the code from being published. Grafana refused to pay and cited FBI guidance against rewarding extortion. The company says no customer data was accessed and the compromised credentials have been invalidated. A data-extortion crew called CoinbaseCartel, tied to the same ecosystem as ShinyHunters, Scattered Spider, and LAPSUS$ with around 170 victims since September 2025, claimed credit. Grafana has not disclosed which code was taken or when the intrusion happened.

Check
Audit your GitHub organization for long-lived PATs and broad-scope tokens. Search audit logs for code clones or downloads from machine accounts in the last 90 days.
Affected
Grafana Labs (codebase). Grafana states no customer data or systems were impacted; Grafana Cloud and open-source Grafana users are not affected.
Fix
Rotate long-lived GitHub tokens to fine-grained PATs scoped to specific repos. Enable secret scanning and push protection. Deploy canary tokens to detect unauthorized code access.