Grafana Labs has disclosed a targeted GitHub security incident linked to the ongoing TanStack npm supply chain ransomware campaign, raising concerns about software development pipeline security and token management practices.
The company confirmed that attackers gained unauthorized access to its GitHub repositories after exploiting a compromised workflow token. The breach, detected on May 11, 2026, is associated with the “Mini Shai-Hulud” campaign, a broader supply chain attack that previously impacted TanStack npm packages.
According to Grafana Labs, the attackers downloaded portions of its codebase. They later issued a ransom demand on May 16, threatening to disclose the stolen data publicly. The organization has refused to pay the ransom, aligning with law enforcement guidance that discourages ransom payments.
Grafana GitHub Security Incident
Grafana’s investigation indicates that the incident was contained within its GitHub environment and did not impact customer-facing systems or the Grafana Cloud platform.
Exposed data includes:
- Public and private source code repositories
- Internal operational repositories used for team collaboration
- Business contact information, such as names and professional email addresses
The company emphasized that while the codebase was accessed and downloaded, there is no evidence of code tampering or malicious modifications.
The breach originated from a compromised GitHub Actions workflow token tied to the TanStack npm supply chain attack. While Grafana initially rotated a large number of tokens after detecting suspicious activity, at least one token was overlooked.
Subsequent analysis revealed that a GitHub workflow initially believed to be unaffected had, in fact, been compromised. This allowed attackers to maintain access and exfiltrate repository data.
This case highlights a common supply chain risk: incomplete credential rotation during incident response can leave residual access points for attackers.
Mitigation and Response
Grafana Labs initiated immediate incident response measures, including:
- Rotation of GitHub workflow and automation tokens
- Comprehensive audit of commits and repository activity since May 11
- Enhanced monitoring and telemetry analysis across GitHub environments
- Security hardening of CI/CD pipelines
- Notification to federal law enforcement authorities
The company stated that it is continuing forensic analysis and will publish a detailed post-incident report once the investigation concludes.
This incident underscores the growing threat of supply chain attacks targeting developer ecosystems, particularly npm packages and CI/CD workflows. Attackers increasingly leverage compromised dependencies and automation tokens to pivot into enterprise environments.
For organizations, the Grafana case demonstrates the importance of:
- Complete credential rotation during incident response
- Continuous monitoring of CI/CD pipelines
- Strict access control and token lifecycle management
Despite the breach, Grafana reassured users that no action is required, as there is no evidence of impact to customer systems or services.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
