GRAFANA Labs confirmed a security incident in which a compromised GitHub token gave attackers access to its GitHub environment, after the extortion group Coinbase Cartel listed Grafana on a leak site and claimed data theft on May 15. Grafana said attackers accessed parts of its source code but found no evidence of customer data theft, personal data exposure, or impact on customer systems or operations.
The company revoked and reset the compromised credentials and launched a forensic investigation to determine how the token was exposed, what repositories were accessed, and whether any other systems were affected. Grafana said it will not pay the ransom demanded by attackers to prevent publication of the stolen source code.
Coinbase Cartel has been active since at least September 2025 and has claimed more than 100 victims, with links drawn to the broader ecosystem including ShinyHunters, Scattered Spider, and Lapsus$. The incident underscores the importance of strong token security, including short-lived, tightly scoped access tokens and phishing-resistant MFA.