Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: grafana (2 articles)Clear

Grafana confirms its GitHub breach started with the TanStack npm supply-chain attack (TeamPCP)

Grafana Labs has confirmed that its previously disclosed GitHub breach started with the TanStack npm supply-chain attack run by TeamPCP, the same one that hit OpenAI and Mistral AI. Grafana detected the activity on May 11, rotated a significant number of GitHub workflow tokens, but one token slipped through and the attacker used it to pull Grafana's codebase. The downstream extortion attempt under the CoinbaseCartel banner came on May 16 and Grafana refused to pay, citing FBI guidance. The incident chains TeamPCP's TanStack OIDC-token theft into a directly observable secondary breach at a major observability vendor.

Check
If you maintained or rebuilt Grafana forks since May 11, or used Grafana Labs GitHub Actions, audit CI logs and outbound traffic against TanStack-attack IoCs published by Wiz and Snyk.
Affected
Grafana Labs (codebase, already public). New attribution links the breach to the TanStack supply-chain attack. No direct customer or Grafana Cloud impact reported.
Fix
Adopt OIDC trusted publishing. Treat GitHub Actions workflow tokens as short-lived and rotate aggressively. Seed canary tokens in private repos - Grafana detected this breach via a canary trigger.

Grafana GitHub breach: codebase stolen, CoinbaseCartel extortion attempt refused

Grafana Labs says an attacker stole a token that gave access to its GitHub environment, downloaded the company's private codebase, and then demanded a ransom to keep the code from being published. Grafana refused to pay and cited FBI guidance against rewarding extortion. The company says no customer data was accessed and the compromised credentials have been invalidated. A data-extortion crew called CoinbaseCartel, tied to the same ecosystem as ShinyHunters, Scattered Spider, and LAPSUS$ with around 170 victims since September 2025, claimed credit. Grafana has not disclosed which code was taken or when the intrusion happened.

Check
Audit your GitHub organization for long-lived PATs and broad-scope tokens. Search audit logs for code clones or downloads from machine accounts in the last 90 days.
Affected
Grafana Labs (codebase). Grafana states no customer data or systems were impacted; Grafana Cloud and open-source Grafana users are not affected.
Fix
Rotate long-lived GitHub tokens to fine-grained PATs scoped to specific repos. Enable secret scanning and push protection. Deploy canary tokens to detect unauthorized code access.