"We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories." Grafana Labs said this after investigators tied an unauthorized codebase download to a larger supply‑chain attack that surfaced on May 11.
Timeline and what Grafana Labs disclosed
Grafana Labs reported on May 17 that it had discovered an attacker had downloaded its codebase after accessing the firm’s GitHub environment. The company says it first spotted malicious activity on May 11 and that a missed GitHub workflow token allowed the attacker to gain repository access even after many tokens were rotated.
Grafana acknowledged that a specific GitHub workflow it initially believed not impacted had, in fact, been compromised. After contact from the ransom gang, Grafana launched mitigation steps including rotating automation tokens, implementing enhanced monitoring, auditing all commits since May 11, and significantly hardening its GitHub security posture.
Mini Shai‑Hulud, TeamPCP, and the mechanism of compromise
Grafana tied the incident to the Mini Shai‑Hulud campaign, attributing the root cause to compromised TanStack packages. According to TanStack, on May 11 TeamPCP published 84 malicious versions across 42 @tanstack/* packages. The attackers had embedded credential‑stealing malware—an infostealer—targeting CI/CD environments such as GitHub Actions.
Because TeamPCP compromised TanStack’s own CI/CD pipeline, the malicious packages were released as though legitimate and were cryptographically signed. That signature allowed the malicious packages to bypass security filters downstream that relied on signatures or other provenance checks.
Scope of the campaign beyond TanStack
The Mini Shai‑Hulud campaign did not stop with TanStack. TeamPCP also broadened its reach to compromise OpenSearch npm versions, PyPI mistralai 2.4.6, PyPI guardrails‑ai 0.10.1 and additional @squawk packages. According to reporting, the infostealer was designed to harvest a wide range of tokens and credentials, including GitHub Actions, GitLab, CircleCI, AWS, Google Cloud Platform, Azure, Kubernetes, HashiCorp Vault and package registry tokens.
Grafana said TeamPCP exfiltrated the firm’s codebase and additional “internal operational information and other details” from its GitHub repositories, including business contact names and email addresses “that would be exchanged in a professional relationship context.” Grafana reiterated that, at this stage, there is no indication customer production systems or operations have been compromised.
Grafana’s immediate mitigations and audit posture
Grafana described multiple concrete measures taken after attackers contacted the company: rotating automation tokens, enhanced monitoring, an audit of all commits since the May 11 incident, and hardening its GitHub security posture. The firm emphasized that although it rotated a large number of GitHub workflow tokens, the compromise pivoted on a single missed token and an initially misclassified workflow that proved compromised.
What this means for technologists, open‑source maintainers, and procurement leaders
- Technologists and security teams: Expect continued attention to CI/CD token hygiene and monitoring of workflow tokens, because the infostealer used in this campaign targeted a broad set of CI/CD and cloud tokens including GitHub Actions, GitLab, CircleCI, AWS, GCP, Azure, Kubernetes and HashiCorp Vault.
- Open‑source maintainers and downstream developers: The attack demonstrates the danger when a maintainer’s CI/CD pipeline is itself compromised—malicious code can be released as cryptographically signed, legitimate packages. Maintainers will need to validate CI/CD integrity and consider additional provenance checks beyond signature verification.
- Enterprises and procurement leaders: The campaign’s long tail shows that supply‑chain incidents can propagate across ecosystems (npm, PyPI, package registries). Procurement and risk teams should note that business contact data and internal operational information were specifically exfiltrated in this case, even while production systems remained unaffected.
The incident underscores a simple but stubborn fact documented in Grafana’s disclosure: even extensive token rotation and mitigation can be undermined by a single missed credential and a compromised workflow. With malicious versions published as valid and cryptographically signed, downstream projects and enterprises that consumed those packages may have been exposed without obvious indicators—raising the pointed question Grafana’s audit seeks to answer: who else, if anyone, automatically consumed those signed, malicious releases?
Source: Infosecurity Magazine — Grafana Labs Says Code Breach Stemmed from TanStack Attack




