Grafana GitHub Breach: TanStack npm Supply Chain Linked Ransomware

Grafana Labs has disclosed a targeted, ransomware-linked breach of its GitHub environment. This incident traces back to a broader TanStack npm supply chain compromise, associated with the “Mini Shai-Hulud” campaign.

The incident, detected on May 11, 2026, involved unauthorized access to internal repositories and culminated in a ransom demand issued on May 16 under threat of data disclosure.

According to Grafana Labs, the intrusion originated from malicious packages distributed through the TanStack npm ecosystem.

These packages were part of an ongoing supply-chain attack that enabled threat actors to inject malicious code into development workflows.

• The attackers leveraged compromised npm dependencies to gain a foothold.
• A missed GitHub workflow token during initial remediation enabled continued access.
• The compromised token granted access to multiple GitHub repositories, including internal and private projects.

Grafana GitHub Breach Linked to Ransomware

Despite rapid token rotation efforts, a previously overlooked CI/CD workflow was later confirmed to have been compromised, enabling the attackers to exfiltrate repository data.

Grafana confirmed that attackers downloaded portions of its codebase along with internal operational repositories.

The exposed data includes:

• Public and private source code repositories.
• Internal documentation and operational data.
• Business contact information, such as names and email addresses.

The company emphasized that no production systems, customer environments, or Grafana Cloud infrastructure were impacted.

Additionally, there is no evidence that the attackers modified any source code.

On May 16, Grafana Labs received a ransom demand from the threat actors, who threatened to publicly release the stolen data.

The company has refused to comply with the demand, aligning with FBI guidance that discourages ransom payments due to the lack of guarantees and the potential to encourage further criminal activity.

Grafana immediately escalated its incident response :

• Rotated all GitHub automation and workflow tokens.
• Conducted a full audit of repository activity since May 11.
• Implemented enhanced monitoring and logging across GitHub environments.
• Hardened CI/CD pipelines to prevent similar attacks.

Federal law enforcement agencies have been notified, and Grafana is cooperating with ongoing investigations.

This incident highlights the growing risk of software supply chain attacks targeting developer ecosystems.

Compromised npm packages remain a critical attack vector, particularly when integrated into automated CI/CD workflows.

For example, a single malicious dependency in a build pipeline can expose authentication tokens or secrets, allowing attackers to pivot into source code repositories without directly breaching infrastructure.

Grafana Labs stated that its investigation is ongoing, with continued analysis of logs, telemetry, and repository activity. A detailed post-incident report will be released upon completion.

The company reiterated that no action is currently required from customers or open-source users, as there is no indication of downstream compromise.

As supply chain attacks continue to evolve, the Grafana breach underscores the importance of strict dependency validation, token management, and CI/CD security hardening across modern development environments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.