Overview
Grafana Labs has confirmed that hackers successfully stole its internal source code and other proprietary data after exploiting a GitHub access token that was compromised during the TanStack npm supply chain attack — and never rotated.
The incident is the latest in a cascade of breaches linked to the TanStack attack, which compromised a widely-used React library npm package and harvested CI/CD tokens from developer pipelines across major organizations. Grafana, GitHub, and OpenAI have all confirmed impacts from the same underlying supply chain incident.
How the Attack Unfolded
Step 1: TanStack Package Compromised
The attack chain began with the compromise of TanStack, a family of popular open-source React libraries with millions of weekly npm downloads. Threat actors inserted malicious code into the package that harvested tokens, secrets, and credentials from CI/CD pipelines that installed the compromised version.
Step 2: Token Harvested from Grafana Pipeline
During the TanStack compromise window, a GitHub access token belonging to Grafana was exfiltrated from the organization's build pipeline. This token carried sufficient permissions to clone internal GitHub repositories.
Step 3: Token Not Rotated
Following the TanStack incident disclosure, Grafana failed to rotate the compromised token as part of its incident response. This left a window of opportunity that attackers exploited before the oversight was discovered.
Step 4: Repositories Cloned and Data Stolen
With the valid token in hand, attackers accessed Grafana's internal GitHub organization and cloned repositories containing:
- Internal source code for Grafana products
- Proprietary tooling and configuration files
- Other sensitive internal data
An extortion attempt followed the breach, with attackers reportedly leveraging the stolen data as leverage.
Grafana's Response
Grafana Labs has publicly acknowledged the incident and stated that:
- Customer data was not affected — the breach was limited to internal repositories and assets
- The company has rotated all credentials and tokens across its infrastructure
- An internal security review is underway to identify any additional exposure
- Grafana is cooperating with law enforcement
The company has characterized the root cause as a failure to rotate a known-compromised credential in a timely manner following the TanStack disclosure.
The Broader TanStack Attack Impact
The TanStack supply chain attack has had ripple effects across the industry. Organizations confirmed to have been impacted by the same credential theft campaign include:
| Organization | Impact |
|---|---|
| Grafana Labs | Internal source code and repositories stolen |
| GitHub | ~3,800 internal repositories accessed via employee device |
| OpenAI | Developer credentials exfiltrated, macOS update pushed |
| Mistral AI | Source code repositories reportedly stolen |
The attack is attributed to the Coinbase cartel and TeamPCP threat groups, which have been responsible for a wave of supply chain compromises throughout early 2026.
Key Lesson: Token Rotation After Supply Chain Incidents
The Grafana breach highlights one of the most common but preventable failure modes in supply chain incident response: failing to rotate credentials exposed in a known compromise.
Security teams responding to supply chain attacks should:
- Immediately enumerate all tokens and secrets used in affected pipelines
- Rotate all credentials as a precaution — even if exposure is unconfirmed
- Audit pipeline access logs for unusual token usage before and after the incident window
- Implement short-lived token policies to reduce the blast radius of future compromises
- Use CI/CD secrets scanning tools to detect credential exposure proactively
Recommendations for Grafana Users
Grafana Labs has confirmed that customer data was not affected. However, organizations using Grafana in production should:
- Continue monitoring Grafana security advisories at grafana.com/security
- Watch for any announcement of patches to Grafana products that may emerge from source code review
- Audit their own pipelines for TanStack npm package usage and rotate any exposed credentials
Sources
- SecurityWeek — Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack