Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Ravie LakshmananMay 20, 2026Supply Chain Attack / Cloud Security

Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised.

It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along with internal GitHub repositories.

"After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business," it said.

"This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform."

The open-source visualization software maker also noted that the breach originated from the TanStack npm supply chain attack orchestrated by TeamPCP, which also hit OpenAI and Mistral AI, and that it detected the activity on May 11, 2026.

"We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories," it said. "A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised."

The company said it subsequently received an extortion demand from an unnamed threat actor on May 16, but opted against paying the ransom as there is no guarantee that the stolen data would actually be deleted, and could act as a catalyst for future campaigns.

Since then, Grafana has taken steps to rotate automation tokens, implement enhanced monitoring, audit all commits for signs of malicious activity, and bolster its overall GitHub security posture.

It's worth mentioning here that a data extortion crew named CoinbaseCartel listed Grafana Labs on its dark web site on May 15, 2026. The Hacker News has contacted Grafana for comment, and we will update the story if we hear back.

The development comes as GitHub said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SHARE    

Tweet Share Share Share

SHARE  Cloud security, cybersecurity, data breach, GitHub, Grafana, NPM, Source Code, Supply Chain Attack

⚡ Top Stories This Week

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension

GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems

NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE

Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective

The New Phishing Click: How OAuth Consent Bypasses MFA

Developer Workstations Are Now Part of the Software Supply Chain

⭐ Featured Resources

Claim ANY.RUN Anniversary Offer for Faster Malware Analysis

[Guide] Learn to Detect AI Typosquatting Risks in Your Domain

[Guide] Get Key Identity Security Insights From 2026 Snapshot

Discover How to Navigate the Era of Constant Cyber Exposure

Cybersecurity Webinars

With HD Moore (Creator of Metasploit) Learn How to Detect Threats Beyond Zero Day Attacks Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Register

Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. Register

⚡ Latest News

Cybersecurity Resources

AI Is Reshaping Every Attack Surface. Train for What's NextSANSFIRE 2026 in D.C. brings 50+ courses, AI-focused sessions, and NetWars. July 13–18. Save $500. Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown. ​

Expert Insights Articles Videos

You Can't Patch Your Way Out of This One

May 25, 2026 Read ➝

How to Test Ransomware Recovery Without Reinfecting Your Environment

May 25, 2026 Read ➝

The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans

May 25, 2026 Read ➝

7 Signs Your Organization Is Vulnerable to Business Email Compromise

May 18, 2026 Read ➝

Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.

Email