Grafana Labs Breach Traced to TanStack npm Supply Chain Attack, Extortion Rejected

Context The company said the intrusion did not reach customer production systems or the Grafana Cloud platform. Instead, attackers accessed public and private source code, internal collaboration repositories, and business contact details such as names and email addresses. Grafana traced the entry point to a compromised GitHub workflow token that was missed during an initial rotation after detecting the TanStack npm compromise on May 11. The same TanStack attack also affected OpenAI and Mistral AI.

Key Facts Investigation found no evidence of production data exposure. The breach scope is confined to the GitHub environment, including internal operational information. Grafana received an extortion demand on May 16 from an unnamed actor and declined to pay, citing no guarantee of data deletion and the risk of encouraging future attacks. A dark‑web listing by the group CoinbaseCartel appeared on May 15, though Grafana has not confirmed a link.

What It Means Organizations should treat workflow tokens as secrets and rotate them immediately after any supply‑chain alert. Enable GitHub secret scanning and push protection to catch leaked tokens in real time. Enforce least‑privilege permissions on workflows and require approvals for changes to sensitive actions. Monitor for MITRE ATT&CK technique T1195 (Supply Chain Compromise) and T1078 (Valid Accounts) indicators such as unusual token usage or unexpected repository clones. Apply dependency verification tools and maintain an SBOM for npm packages to catch malicious updates early. Keep an eye on further extortion attempts from TeamPCP‑affiliated groups and consider sharing indicators via ISACs.