GRAFANA Labs disclosed on 19 May 2026 that its investigation into the recent breach found no evidence that customer production systems or operations were compromised, with the incident scope confined to the Grafana Labs GitHub environment, including public and private source code and internal repositories. According to The Hacker News, the breach originated from the TanStack npm supply chain attack orchestrated by TeamPCP, which also affected OpenAI and Mistral AI, and Grafana detected the activity on 11 May 2026.
The company said a significant number of GitHub workflow tokens were rotated after initial analysis, but a missed token allowed attackers to gain access to GitHub repositories, with a later review confirming a previously deemed unimpacted workflow had indeed been compromised. Grafana reportedly received an extortion demand from an unnamed threat actor on 16 May, and chose not to pay, citing no guarantee data would be deleted and the potential for further campaigns.
The Hacker News notes that CoinbaseCartel listed Grafana on its dark web site on 15 May 2026, while Grafana has since boosted token rotation, monitoring, and overall GitHub security measures.