Grafana Labs has confirmed that a recent supply chain attack involving the TanStack npm ecosystem resulted in the cloning of its internal GitHub repositories. However, it did not compromise customer production systems or the Grafana Cloud platform.
This disclosure follows a thorough internal investigation completed on May 27, 2026, as well as an independent forensic review conducted by Mandiant, which found no evidence of code tampering, repository poisoning, or malicious modifications in publicly distributed software.
The incident is attributed to the “Mini Shai-Hulud” campaign. It highlights the increasing risks of credential leakage and abuse in modern CI/CD pipelines and open-source supply chains.
Grafana Confirms TanStack npm Supply Chain Attack
The attack began on May 11, when malicious code was executed on self-hosted GitHub runners, exposing sensitive credentials. Although the company initially rotated all credentials it believed were compromised, a single overlooked token allowed the threat actor to regain access several days later.
By May 14, the attackers had exploited this credential to commit unauthorized changes and to initiate large-scale repository cloning. Data exfiltration began shortly thereafter, culminating in a ransom demand issued on May 16, in which the attacker threatened to leak the stolen codebase.
Grafana Labs chose not to comply with the extortion attempt, in line with established law enforcement guidance discouraging ransomware payments. While most of Grafana’s codebase is open source, the exfiltrated data included private repositories containing internal tools, operational data, and limited business contact information, such as professional email addresses.
The company emphasized that this data was not sourced from production environments or customer systems, and no user data was accessed or impacted.
In response to the incident, Grafana initiated a comprehensive incident response process that included immediately suspending all GitHub applications, implementing a global code freeze, and rotating credentials across its infrastructure.
Security teams conducted a cross-platform audit of GitHub, Vault, Okta, Kubernetes, AWS, and GCP environments to validate system integrity and confirm containment. The company also reverted all unauthorized changes and identified the full attack chain within 48 hours of confirming the breach.
The scale of the remediation effort was significant, involving thousands of manual and automated security reviews. Engineering teams audited hundreds of GitHub applications, reduced excessive permissions, and scanned over a thousand repositories for indicators of compromise. Critical repositories underwent intensive pull request validation to detect unauthorized modifications.
At the same time, legacy systems were retired to minimize the attack surface. Grafana also implemented stricter access controls and initiated a broader audit of identity and access management policies.
As part of its long-term security improvements, Grafana introduced a token-broker system to enforce short-lived, fine-grained credentials, thereby reducing reliance on static secrets.
The company transitioned to more secure artifact management workflows, limiting direct integrations with external registries like Docker Hub in favor of controlled environments, such as Google Cloud Artifact Registry. Additional measures include enhanced alerting, static code analysis, and segmentation of GitHub organizations to isolate archived or inactive repositories.
This incident underscores a critical lesson in supply chain security: even a single missed credential can have significant downstream impacts.
While Grafana successfully contained the breach without any customer impact, the attack demonstrates how threat actors are increasingly targeting CI/CD pipelines and developer tooling to gain access to high-value environments.
With independent validation from Mandiant confirming the absence of code manipulation, this incident stands as a notable example of effective incident response, transparency, and post-incident hardening in the face of a modern supply chain threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
