Grafana Labs Hit by Codebase Theft and Extortion via Stolen GitHub Token
Grafana Labs, the company behind the widely-used open-source observability platform, has disclosed a serious security breach. An unauthorized party obtained a GitHub access token that allowed them to access Grafana's GitHub environment and download its entire codebase. The company confirmed that no customer data or personal information was accessed during the incident.
Upon discovering the breach, Grafana launched a forensic investigation, identified the source of the token leak, invalidated the compromised credentials, and implemented additional security measures. The attacker subsequently attempted to extort Grafana, demanding payment to prevent the stolen code from being published.
Grafana refused to pay, citing FBI guidance that warns against negotiating with extortionists. The breach has been attributed by security researchers to CoinbaseCartel, a data extortion group that emerged in September 2025 and is assessed as an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. The group has amassed approximately 170 victims across healthcare, technology, transportation, manufacturing, and business services, focusing exclusively on data theft and extortion rather than traditional ransomware deployment.
The incident highlights the growing risk of supply chain attacks targeting developer infrastructure, particularly through compromised credentials and access tokens in source code repositories.
The Grafana breach is a textbook supply chain attack via leaked developer credentials. With CoinbaseCartel linked to the ShinyHunters/LAPSUS$ ecosystem, this signals that source code extortion is becoming a primary attack vector — every company with GitHub-connected infrastructure should audit their token hygiene.
Was any customer data accessed in the Grafana breach?
No. Grafana confirmed that no customer data or personal information was accessed, and there is no evidence of impact to customer systems or operations.
What is CoinbaseCartel?
A data extortion group that emerged in September 2025, assessed as an offshoot of ShinyHunters, Scattered Spider, and LAPSUS$. They focus on data theft and extortion rather than ransomware, with approximately 170 known victims.