Grafana Labs confirmed on May 19, 2026, that a supply chain attack originating from a compromised TanStack npm package resulted in unauthorized access to its GitHub environment, exposing both public and private source code repositories. The breach, attributed to the TeamPCP threat group, also affected OpenAI and Mistral AI. While no customer production systems were compromised, the incident exposed internal operational information, including business contact details and email addresses used in professional contexts.
Attack Timeline and Technical Details
Grafana detected the malicious activity on May 11, 2026, and initially responded by rotating numerous GitHub workflow tokens. However, investigators later discovered a missed token in a specific workflow initially deemed secure, which provided attackers a persistent access vector. The company received an extortion demand on May 16 from threat actors, with the CoinbaseCartel data extortion group subsequently listing Grafana on its dark web leak site on May 15. Grafana declined to pay the ransom, citing concerns that payment would neither guarantee data deletion nor prevent future extortion attempts.
Response Measures Implemented
Following the breach discovery, Grafana implemented comprehensive security enhancements including complete rotation of automation tokens, deployment of enhanced monitoring systems, and thorough auditing of all repository commits for malicious code injection. The company has also initiated a broader review of its GitHub security posture to prevent similar incidents.
Key Takeaway
Engineering teams using GitHub workflows should immediately audit all automation tokens and secrets, particularly those associated with npm dependencies. Organizations must implement comprehensive token inventory systems and establish monitoring for unexpected GitHub API activity. This incident underscores the critical importance of supply chain security in development environments, where a single compromised dependency can cascade into enterprise-wide breaches affecting proprietary intellectual property.
Article Source: Grafana GitHub Breach Exposes Source Code via TanStack npm Attack | Image: Photo by Myburgh Roux via Pexels
