Bottom line: The TanStack npm supply-chain attack enabled Grafana attackers (TeamPCP) to penetrate GitHub workflows, followed by a failed extortion attempt by CoinbaseCartel.
In an investigation of the breach into Grafana Labs’ GitHub infrastructure on May 19, 2026, the company confirmed: customer systems are not compromised, but extensive source code and internal repositories were stolen.
Grafana Labs clarified the scope of the security incident on May 19, 2026: the damage is limited to the company’s GitHub environment. In addition to public and private source code, internal GitHub repositories were downloaded that various teams use for collaboration and storage of operational information. These contained business contacts, names and email addresses in a professional context — but no data from production systems or the Grafana Cloud platform.
The attack originated from the TanStack npm supply-chain campaign, orchestrated by the attacker group TeamPCP, which also targeted OpenAI and Mistral AI. Grafana detected the activity on May 11, 2026. The company then rotated numerous GitHub workflow tokens, but overlooked one token through which attackers gained access to the repositories. Upon subsequent verification, it turned out that a workflow assessed as uncompromised was actually affected.
On May 16, Grafana received an extortion demand from unnamed threat actors. The company refused payment, as there is no guarantee that stolen data will actually be deleted, and paying a ransom could encourage future campaigns. The dark web group CoinbaseCartel had already listed Grafana Labs on its site on May 15.
As countermeasures, Grafana implemented automation token rotation, expanded monitoring, audits of all commits for malware indicators, and enhanced GitHub security measures overall. In parallel, GitHub itself is investigating unauthorized access to internal repositories following the listing of platform source code by TeamPCP on cybercrime forums.
Source: ainews-dev.lumi-systems.io · Published May 20, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.5.2.