Grafana Labs

On May 17, 2026, CoinbaseCartel—an offshoot of the notorious ShinyHunters/Scattered Spider/LAPSUS$ groups—compromised Grafana Labs by exploiting a misconfigured GitHub Action using the pull_request_target trigger. This configuration error allowed the attackers to steal a GitHub token with access to Grafana's entire private codebase. They downloaded everything from GitHub before Grafana even knew they were there.

The breach was detected through a canary token—a deliberate honeypot credential that triggered an alert when accessed. Grafana Labs serves over 7,000 organizations globally, including 70% of the Fortune 50. Their observability platform monitors critical infrastructure across the world. The attackers now had the source code showing how it all works. Grafana refused to pay the ransom.

Complete private source code repositories for Grafana's observability platform. Every line of code showing authentication flows, database schemas, API endpoints, security controls, and infrastructure architecture. Development secrets hardcoded in configuration files. API keys and authentication tokens for internal services. Internal documentation explaining system design decisions and known limitations.

Source code is the blueprint. It reveals exactly how authentication works and where to bypass it. It shows which data validation checks exist and which don't. It exposes every API endpoint, including internal ones never meant for external access. Comments in the code explain why certain security decisions were made—and what the developers were worried about. Infrastructure configurations show production system architecture, making targeted attacks trivial.

For a platform that monitors infrastructure at 70% of Fortune 50 companies, this isn't just intellectual property theft. It's a roadmap for compromising the monitoring systems that are supposed to detect breaches at the world's largest organizations.

Every organization running Grafana. With the complete source code, attackers can identify zero-day vulnerabilities in Grafana's platform and exploit them before patches exist. Organizations using Grafana to monitor their infrastructure now have to assume their monitoring system is compromised or vulnerable to targeted attacks informed by stolen code.

The Fortune 50 companies relying on Grafana for observability face a worse problem: their monitoring infrastructure—the system meant to detect security incidents—may now be weaponized against them. Attackers with Grafana's source code can potentially identify ways to evade detection, manipulate metrics, or gain access to monitoring data showing the internal state of critical systems.

Grafana Labs itself faces existential risk. Their competitive advantage was their technology. Now competitors and attackers have the complete implementation. Customer trust in their security is damaged. Enterprise customers will demand answers about whether their Grafana deployments are vulnerable to attacks informed by the stolen code.

Grafana Labs is a sophisticated technology company serving the world's largest enterprises. They use GitHub Actions for continuous integration and deployment—standard practice for modern software development. They had canary tokens deployed as security monitoring, which is exactly what detected the breach. They maintain private repositories with access controls. They're security-conscious enough to refuse paying ransoms.

The pull_request_target trigger in GitHub Actions exists to enable CI/CD workflows on pull requests from external contributors. It's a necessary feature for open source projects that need to run automated tests on community contributions. Grafana likely configured it following GitHub's own documentation, trying to balance security with developer productivity.

But pull_request_target has a dangerous property: it runs workflow code in the context of the target repository with access to repository secrets, even when the pull request comes from an untrusted fork. One misconfiguration—checking out pull request code without proper validation—turns CI/CD into a credential theft vector. Grafana's security monitoring caught the breach. But it was already too late.

Grafana didn't know that their GitHub Actions workflows contained credentials powerful enough to download their entire private codebase. They didn't know that a token accessible to pull_request_target workflows had read access to every private repository. They didn't know which workflows could be triggered by external contributors and which credentials those workflows could access.

GitHub tokens exist throughout development infrastructure: Actions workflows, deployment pipelines, integration systems, developer machines. Each token has different scopes and permissions. Some can read code. Some can push changes. Some can modify repository settings. Some can access organizational secrets. Grafana didn't have a complete map of which tokens existed, where they were used, and what damage they could cause if stolen.

The pull_request_target misconfiguration was discoverable. Security scanners can identify dangerous GitHub Actions patterns. But you have to know to look. You have to treat CI/CD credentials as critical infrastructure. You have to understand that development automation tokens are often more powerful than production API keys because they control the code that generates everything else.

CoinbaseCartel adds a high-profile target to their portfolio, demonstrating their evolution from the ShinyHunters/LAPSUS$ tactics of social engineering to sophisticated supply chain attacks on development infrastructure. Grafana faces notifications to 7,000+ enterprise customers that their observability platform's source code is compromised. The Fortune 50 companies using Grafana must now assess whether their monitoring infrastructure could be exploited using knowledge from the stolen code.

Every GitHub Action workflow at Grafana must be audited for similar vulnerabilities. Every credential that existed in any repository must be rotated. Every private repository must be analyzed for what was exposed: not just code, but commit history, comments, documentation, and secrets accidentally committed and later removed. The canary token prevented worse escalation, but the codebase was already gone.

For the broader technology industry, this breach demonstrates that GitHub Actions misconfigurations are now actively exploited by sophisticated threat actors. Every organization using pull_request_target must audit their workflows. Every development team must treat CI/CD credentials as crown jewels. The age of assuming development infrastructure is trusted has ended.