Following the acquisition of a privileged GitHub token tied to Grafana Labs’ development environment, a threat actor quickly escalated the initial credential exposure into a significant source code security incident. It was possible for the attacker to gain access to the company’s private GitHub infrastructure, extract internal code repositories, and then attempt to extort payment from the organization via unauthorized access.
In addition to revoked credentials quickly, Gloria Labs launched an internal forensic investigation to determine the origin of the exposure and limit further risks. In spite of the fact that the breach resulted in access to sensitive development assets, the company announced that investigators found no evidence of data compromise, disruption of operations, or unauthorized access to user environments as a result of the breach.
Grafana’s widespread use in modern observability environments has drawn significant attention across the cybersecurity community due to the platform’s widespread role in monitoring infrastructure, cloud workloads, applications, and telemetry systems through centralized dashboards and analytics. The incident has attracted significant attention across the cybersecurity community.
In the course of the investigation, Grafana Labs disclosed that after detecting unauthorized activity, its security team initiated an immediate forensic response, eventually tracing the source of credential exposure and revoking the compromised access token in order to prevent further intrusion. Additionally, additional defensive controls were implemented across the company’s development environment as part of its efforts to contain and harden the environment.
Afterwards, the threat actor attempted to extort the organization by requesting payment in exchange for delaying publication of the stolen data, according to the disclosure. Grafana, however, chose not to engage in ransom negotiations, aligning its response with Federal Bureau of Investigation guidance, which has consistently emphasized that paying extortion demands does not ensure data recovery nor prevent future misuse of stolen information.
A number of federal authorities have warned against ransom payments, stating that they rarely ensure suppression of stolen data and often contribute to additional criminal activity targeting technology providers and enterprise platforms.
The exact timeline of the attack or the length of time the attacker was permitted access to Grafana Labs’ GitHub environment have not been disclosed, as only that the incident has recently been discovered.
It is also noteworthy that the company did not explicitly attribute the intrusion to a specific threat actor.
It is also noteworthy that the company did not explicitly attribute the intrusion to a specific threat actor.
However, various cyber threat intelligence reports, including Halcyon and Fortinet FortiGuard Labs assessments, have linked claims surrounding the incident with CoinbaseCartel, a collective of data extortionists.
It has been noted that the group is an emerging extortion-focused operation that emerged in late 2025 and has operational overlap with criminal ecosystems such as ShinyHunters, Scattered Spider, and LAPSUS$ based on public statements released by Grafana.
It has been noted that the group is an emerging extortion-focused operation that emerged in late 2025 and has operational overlap with criminal ecosystems such as ShinyHunters, Scattered Spider, and LAPSUS$ based on public statements released by Grafana.
According to the company’s public statements, investigators believe that the intrusion occurred due to the compromise of privileged authentication tokens used in Grafana’s development process.
As a result, these tokens are frequently used to
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
As a result, these tokens are frequently used to
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: