Grafana says missed GitHub token enabled repository breach following TanStack npm supply-chain attack

Grafana Labs, the observability and monitoring software company behind the open-source Grafana platform, disclosed that attackers gained access to its GitHub repositories after a compromised GitHub workflow token remained active during a broader credential rotation effort tied to the recent TanStack npm supply-chain attack.

The intrusion was linked to the ongoing Shai-Hulud malware campaign attributed to the TeamPCP hacking group. The campaign involved dozens of malicious TanStack packages published to the npm registry containing credential-stealing code designed to compromise developer environments and CI/CD pipelines.

Grafana Labs said the malicious package executed within its GitHub workflow environment after being consumed by the company’s CI/CD pipeline. The malware exfiltrated GitHub workflow tokens to the attackers, enabling unauthorized access to internal systems.

The company detected suspicious activity on May 1 and activated its incident response procedures, including the rotation of GitHub workflow tokens believed to be exposed during the compromise. Investigators later determined that one token had not been rotated, allowing attackers to maintain access to the company’s GitHub repositories.

“We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories,” Grafana Labs said in an incident update.

The company later discovered that a GitHub workflow initially believed to be unaffected had also been compromised.

“A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised,” the company said.

Grafana Labs previously confirmed that attackers downloaded portions of its source code and later attempted to extort the company with threats to release the stolen material publicly. The company said it would not pay a ransom.

“Based on our operational experience and the published stance of the Federal Bureau of Investigation, which notes that paying a ransom doesn’t guarantee you or your organization will get any data back and only offers an incentive for others to get involved in this type of illegal activity, we have determined the appropriate path forward is to not pay the ransom,” the company said.

The investigation also found that attackers downloaded operational information and business-related contact details in addition to source code.

“This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform,” Grafana Labs said.

The company stated that no customer production data, customer systems, or operational environments were affected during the breach. Grafana Labs also said investigators found no evidence that attackers modified the company’s codebase during the incident.

As a result, the company said software downloaded by users during the exposure window remains safe and customers are not required to take any action at this time.

Grafana Labs added that customers would be notified directly if ongoing forensic analysis uncovers evidence requiring additional remediation or response measures.

The company also said it invalidated the compromised credentials and implemented additional security controls to strengthen protection around its development environment and GitHub infrastructure.