[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fr_3zmz8TTRscqKB4C1dgduV50d6vQNb1JFFe0CMvbt4":3},{"article":4,"iocs":60},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"7892c27a-4bdc-4bde-85e0-ace77d862191","Grafana GitHub Breach Exposes Source Code via TanStack npm Attack","grafana-github-breach-exposes-source-code-via-tanstack-npm-attack-07670e","Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along with internal GitHub repositories. \"After the initial assessment, we found that in addition to source","Grafana Labs disclosed a breach on May 19, 2026, limited to its GitHub environment after the TanStack npm supply chain attack orchestrated by TeamPCP compromised GitHub workflow tokens. The incident exposed source code, internal repositories, and business contact information, but no production systems or customer data were affected. The company rotated tokens, enhanced monitoring, and rejected an extortion demand rather than risk future attacks.","Grafana Labs GitHub breach via TanStack npm attack exposes source code and internal data.","Grafana GitHub Breach Exposes Source Code via TanStack npm Attack Ravie LakshmananMay 20, 2026Supply Chain Attack \u002F Cloud Security Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along with internal GitHub repositories. \"After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business,\" it said. \"This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform.\" The open-source visualization software maker also noted that the breach originated from the TanStack npm supply chain attack orchestrated by TeamPCP, which also hit OpenAI and Mistral AI, and that it detected the activity on May 11, 2026. \"We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories,\" it said. \"A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.\" The company said it subsequently received an extortion demand from an unnamed threat actor on May 16, but opted against paying the ransom as there is no guarantee that the stolen data would actually be deleted, and could act as a catalyst for future campaigns. Since then, Grafana has taken steps to rotate automation tokens, implement enhanced monitoring, audit all commits for signs of malicious activity, and bolster its overall GitHub security posture. It's worth mentioning here that a data extortion crew named CoinbaseCartel listed Grafana Labs on its dark web site on May 15, 2026. The Hacker News has contacted Grafana for comment, and we will update the story if we hear back. The development comes as GitHub said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, cybersecurity, data breach, GitHub, Grafana, NPM, Source Code, Supply Chain Attack ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\u002FCD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fgrafana-github-breach-exposes-source.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEi1N3gjAFZQ-1hptUuKwQmHMjlZwIMDn6H6mKc9UuDELAKWl_3Kow6EcD72IkWpBf8ZB2Db8wrZW86zVxKaEgQZ7_sVrWoDokD1LoLPUqhhCw2lLDl9ODqq2ZkfBrK6SUTrbROBuFNXN16HPtMWtS9EMIFsO3yQsISWCK0JrlwiUWineb9sxIq-un41smHG\u002Fs1600\u002Fgrafana-breach.jpg","2026-05-20T05:12:06+00:00","2026-05-20T06:00:24.336437+00:00",9,[18,21,24,27,30,32],{"name":19,"type":20},"Grafana Labs","vendor",{"name":22,"type":23},"Grafana","product",{"name":25,"type":26},"npm","technology",{"name":28,"type":29},"TeamPCP","threat_actor",{"name":31,"type":20},"TanStack",{"name":33,"type":29},"CoinbaseCartel","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":34,"icon":36,"name":37,"slug":38},null,"Supply Chain","supply-chain",[40,45,50,55],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",{"category":56},{"id":57,"icon":36,"name":58,"slug":59},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]