Skip to main content
Emerging ThreatsSupply Chain Attacks

Grafana Breach Exposes Missed Security Step After TanStack Attack

Developer workstation with laptop and terminal screens near npm package repository, indicating a software development…

“We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories,” reads Grafana’s update.

TanStack packages and the Shai-Hulud malware campaign

The breach traces back to a supply-chain incident on the npm index. In the ongoing Shai-Hulud malware campaign — which the source attributes to TeamPCP hackers — dozens of TanStack packages were published containing credential‑stealing code. When those malicious npm packages were released, they compromised developer environments by executing an info‑stealer module.

How a missed GitHub workflow token produced repository access

Grafana’s CI/CD workflow consumed one of the tainted packages. The info‑stealer executed inside Grafana’s GitHub environment and exfiltrated GitHub workflow tokens to the attackers. Grafana detected malicious activity tied to the compromised TanStack packages on May 1 and implemented its incident response plan, which included rotating GitHub workflow tokens.

Despite that response, a single workflow token was missed. That token, the company says, provided the attacker with access to Grafana’s private repositories. “A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised,” Grafana added.

What Grafana found: source code, operational data, and assurances on customer systems

Grafana previously confirmed that intruders stole source code from the company. The continued investigation also revealed the intruder downloaded operational information and details Grafana uses for its business. Grafana described that material specifically as, “business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform.”

The company stresses that this was not customer production data. According to Grafana’s latest evidence and investigation, “no customer production systems or operations have been compromised.” Grafana Labs also reported its codebase was not modified during the incident, and therefore “the code users downloaded throughout the events is considered safe,” with users not required to take any action. Grafana promised to notify impacted customers directly if that evaluation changes based on new evidence.

What this means for technologists, enterprise engineering leaders, and customers

  • Technologists and security teams: The chain of events underlines how a single missed credential in a CI/CD environment can convert a supply‑chain compromise into access to private repositories. Detection of compromised packages on May 1 triggered token rotation, but the missed token demonstrates the difficulty of achieving exhaustive remediation in fast‑moving incidents.
  • Enterprise engineering and procurement leaders: The incident highlights exposure vectors that begin with third‑party packages on public registries. Even when a vendor rotates credentials quickly, gaps in assumed coverage for particular workflows can allow attackers to persist and access intellectual property and operational contact data.
  • Customers and end users: Grafana’s public statements assert that customer production systems and operations remain uncompromised and that source code was not altered. Customers are therefore not being asked to take corrective action by Grafana at this time, and the company said it will notify affected customers should that assessment change.

Grafana Labs' response and the unresolved questions

Grafana deployed its incident response plan immediately after detecting malicious activity tied to the TanStack packages and performed an extensive token rotation. The company has declined to pay a ransom, according to its earlier disclosures. While Grafana reports no modification to its codebase and no impact to customer production systems, the discovery that a previously assumed unaffected workflow was in fact compromised raises operational and procedural questions about how workflow inventories and token rotation processes are validated during an incident.

The record released by Grafana makes plain what was taken — source code and business contact information — and what was not — customer production data and code integrity. The next steps the company outlined are limited and concrete: continue the investigation and notify customers directly if new evidence requires it. The narrow technical failure at the center of this episode — one missed GitHub workflow token after a supply‑chain compromise on npm — is a reminder that in modern software supply chains, small oversights can have outsized consequences.

Source: BleepingComputer — Grafana breach caused by missed token rotation after TanStack attack