"After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business," Grafana Labs said.
Grafana Labs: what was accessed and when
On May 19, 2026, Grafana Labs reported an internal investigation into a breach that it says was confined to its GitHub environment. The company stated there is "no evidence of customer production systems or operations being compromised." According to Grafana, the affected GitHub environment includes both public and private source code and internal repositories used for operational collaboration.
Grafana detected the activity on May 11, 2026. The company identified that the downloaded content included internal operational information and business contact names and email addresses, which it characterized as information exchanged in a professional relationship context rather than data processed through production systems or the Grafana Cloud platform.
How the TanStack npm supply chain attack and TeamPCP produced access
Grafana traced the intrusion to the TanStack npm supply chain attack orchestrated by the threat actor known as TeamPCP. The company said it "performed analysis and quickly rotated a significant number of GitHub workflow tokens," but that a missed token allowed attackers to gain access to repositories. A subsequent review found that a specific GitHub workflow originally considered unaffected had in fact been compromised.
The same supply chain incident is linked in Grafana’s account to other targets; Grafana noted the TanStack/TeamPCP activity also hit OpenAI and Mistral AI. Separately, GitHub said it is investigating unauthorized access to its internal repositories after TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum.
Data exposed and extortion attempts
Grafana detailed that stolen content included source code and internal repositories containing business contact names and email addresses. On May 15, 2026, a data extortion group named CoinbaseCartel listed Grafana Labs on its dark web site, the reporting shows. Grafana also reported receiving an extortion demand from an unnamed threat actor on May 16, 2026.
The company declined to pay the ransom, saying there is no guarantee stolen data would be deleted and that paying could "act as a catalyst for future campaigns." Grafana has not provided further detail in this statement about whether the extortion demand referenced specific repositories or files.
Grafana's remediation actions and security posture changes
In response to the incident Grafana said it rotated automation tokens, implemented enhanced monitoring, audited all commits for signs of malicious activity, and bolstered its overall GitHub security posture. The company emphasized the token rotations were a rapid response after the initial analysis, and that the missed token was the vector that permitted repository access despite those rotations.
The Hacker News noted it had contacted Grafana for comment and said it would update the story if the company responded further. Meanwhile, Grafana’s public statements limit the scope of the breach to GitHub-hosted materials and assert no compromise of production systems or the Grafana Cloud platform.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Grafana’s account focuses attention on the risk posed by compromised workflow and automation tokens; teams using GitHub workflows will likely re-check token inventories and audit workflows—Grafana said it audited commits and rotated tokens after detection on May 11.
- Procurement and affected enterprises: Buyers and vendors that rely on open-source components or supplier-held repositories may prioritize contract and risk reviews after supply-chain incidents linked to TanStack and TeamPCP—Grafana explicitly tied its breach to that supply-chain attack that also affected OpenAI and Mistral AI.
- End users and partners: Grafana’s statement that customer production systems were not impacted aims to reassure users, but the disclosure that business contact names and email addresses were in the repositories means organizations exchanging professional contact information with Grafana should be aware of potential data exposure.
Grafana’s disclosure narrows the immediate operational risk to its GitHub environment but leaves a broader ecosystem question in plain view: a supply-chain compromise that can migrate from public package infrastructure to internal code repositories and then to extortion listings on criminal forums. GitHub said it is investigating related access to its internal repositories after TeamPCP listed source code and internal organizations for sale; Grafana said it detected activity on May 11, received a listing on May 15, and an extortion demand on May 16, before publishing its findings on May 19, 2026.
As investigators and the companies involved continue their work, the practical next steps are visible in Grafana’s own actions—token rotations, monitoring, and audits—and in GitHub’s ongoing investigation into unauthorized internal access. How those technical fixes and investigations affect downstream users and whether additional listings or extortion efforts follow remain facts to be established by the parties and law enforcement.




