Vetted by NeuralPress's Multi-Agent Verifier for strict factual validity and event relevance. Our compliance engine cross-checks and filters search results to ensure zero false correlations or misleading content.
Primary Sources
Grafana Says It Rejected Ransom Demand After Source Code Theft
Grafana Labs says an attacker gained access to part of its GitHub environment after obtaining a compromised token, allowing the threat actor to download the company’s codebase. The open source analytics and visualization company disclosed the incident in a series of posts on X (formerly Twitter), adding that its investigation has not found evidence of customer data exposure or impact to customer systems. The good news is that rather than resolving the matter behind closed doors, the company confirmed that the attacker later attempted to extort Grafana Labs by demanding payment in exchange for not releasing the stolen code. According to Grafana, the company moved quickly after identifying the unauthorized access by launching a forensic investigation, invalidating the compromised credentials, and adding new safeguards around the affected environment. Grafana also said investigators believe they have identified how the credentials were exposed in the first place. Even with source code involved, Grafana stressed that the incident did not reach customer environments. The company said its review found no signs that customer data or personal information had been accessed during the breach, and no evidence that customer operations were affected. The decision not to pay the attacker was another part of the company’s public statement. Grafana cited long-standing FBI guidance, which warns that ransom payments do not guarantee stolen data will be recovered or kept private. The agency has repeatedly argued that paying extortion demands encourages more attacks by giving cybercriminals a financial incentive. Grafana Labs on X (Screenshot credit: Hackread.com) This decision also stands in contrast to a recent incident involving Canvas LMS parent company Instructure, which reportedly paid the ShinyHunters hacker group an undisclosed ransom amount after attackers breached its LMS portal and posted a page threatening to leak student data. Nevertheless, source code-related breaches can still create long-term security concerns, even when customer data is untouched. Attackers sometimes study stolen code to look for undisclosed vulnerabilities, authentication logic, or deployment details that could help in future attacks. For now, Grafana says the compromised credentials have been revoked, and additional protections are in place. The company added that it plans to release more details after its post-incident review is complete.
Grafana Labs Refuses Ransom After GitHub CI Flaw Exposed Its Source Code - Cyber Kendra
Grafana Labs publicly confirmed this week that attackers stole a GitHub access token through a misconfigured CI/CD pipeline, downloaded private source code repositories, then attempted to extort the company — and walked away empty-handed.The breach, announced via a six-tweet thread on X, traces back to a subtle but well-known class of GitHub Actions vulnerability called a "Pwn Request." A recently enabled GitHub Action workflow configured to trigger on pull_request_target events inadvertently granted external contributors — anyone who could open a pull request — access to production secrets during CI runs.The attacker's method was methodical. By forking a Grafana repository, injecting malicious code via a curl command, and dumping environment variables to a file encrypted with a private key, the threat actor extracted privileged tokens, then deleted their fork to cover their tracks before leveraging the stolen credentials against four additional private repositories.What stopped the attacker from going completely undetected? Their own curiosity. One of the thousands of canary tokens — invisible tripwires Grafana embeds across its code and infrastructure — was triggered, immediately alerting the global security team. Canary tokens are decoy credentials designed to fire an alert the moment they're used, exposing access that would otherwise go unnoticed.Grafana's investigation found no evidence of code modifications, unauthorized access to production systems, or exposure of customer data. The company revoked all compromised tokens, disabled the vulnerable workflows, and ran a full credential audit using tools including Trufflehog and Gato-X. That didn't stop the attacker from trying their luck. After downloading the private codebase, they escalated to extortion — demanding payment in exchange for not releasing the stolen code. Grafana refused. The company cited FBI guidance, noting that paying ransoms offers no data-recovery guarantee and only incentivizes more attacks.Reports from Hackmanac and Ransomware.live attribute the attack to CoinbaseCartel, a data extortion crew that emerged in September 2025 and is assessed to be an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. Unlike traditional ransomware groups, CoinbaseCartel focuses exclusively on data theft and extortion, and has already claimed over 170 victims across healthcare, technology, transportation, and manufacturing.The incident lands as part of a troubling pattern. It foll...
Grafana GitHub Token Breach Leads to Codebase Theft and Extortion Attempt
In May 2026, Grafana Labs disclosed ... the download of its codebase. The attacker attempted to extort the company by demanding payment to prevent the public release of the stolen code....
Grafana Labs Security Breach: Hackers Stole the Entire Codebase
A threat actor gained unauthorized access to Grafana Labs' GitHub environment, downloaded their entire private codebase using a stolen privileged token, and then demanded a ransom payment. Grafana refused to pay.
