Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack Ravie LakshmananMay 20, 2026Supply Chain Attack / Cloud Security Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along with internal GitHub repositories. "After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business," it said. "This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform." The open-source visualization software maker also noted that the breach originated from the TanStack npm supply chain attack orchestrated by TeamPCP, which also hit OpenAI and Mistral AI, and that it detected the activity on May 11, 2026. "We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories," it said. "A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised." The company said it subsequently received an extortion demand from an unnamed threat actor on May 16, but opted against paying the ransom as there is no guarantee that the stolen data would actually be deleted, and could act as a catalyst for future campaigns. Since then, Grafana has taken steps to rotate automation tokens, implement enhanced monitoring, audit all commits for signs of malicious activity, and bolster its overall GitHub security posture. It's worth mentioning here that a data extortion crew named CoinbaseCartel listed Grafana Labs on its dark web site on May 15, 2026. The Hacker News has contacted Grafana for comment, and we will update the story if we hear back. The development comes as GitHub said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, cybersecurity, data breach, GitHub, Grafana, NPM, Source Code, Supply Chain Attack ⚡ Top Stories This Week On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Load More ▼ ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk Identify Internal Attack Surfaces More Efficiently With a Free Assessment [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage