RSS

Grafana says stolen GitHub token allowed attackers to download its codebase

p_stuart821 pts0 comments

Grafana says stolen GitHub token let hackers steal codebase

Home<br>News<br>Security<br>Grafana says stolen GitHub token let hackers steal codebase

Grafana says stolen GitHub token let hackers steal codebase

By Bill Toulas

May 18, 2026

09:46 AM

Grafana Labs disclosed that hackers have downloaded its source code after breaching its GitHub environment using a stolen access token.

A relatively new extortion gang known as CoinbaseCartel has claimed the attack by adding Grafana to their data leak site (DLS), although no data has been leaked yet.

Grafana Labs is the company behind Grafana, the popular open-source platform for analytics, monitoring, and real-time data visualization.

Paying customers are primarily large enterprises, cloud providers, telecos, banks, governments, e-commerce platforms, and infrastructure operators. According to Grafana, more than 7,000 organizations use the product, including 70% of the Fortune 50 companies.

No payment for hackers

In an announcement over the weekend, Grafana Labs said that its investigation found no evidence that customer data or personal information was exposed during the incident. Furthermore, the company notes that customer systems remained unaffected.

The forensic analysis revealed the source of the leaked credentials. The company "invalidated the compromised credentials and implemented additional security measures" to prevent future unauthorized access.

The attacker attempted to extort the company, demanding payment in exchange for not publishing the stolen source code. However, Grafana said it chose to follow public guidance from the Federal Bureau of Investigation (FBI) and not pay the ransom, noting that doing so would only encourage other threat actors to pursue similar attacks.

&ldquo;Based on our operational experience and the published stance of the FBI, which notes that paying a ransom doesn&rsquo;t guarantee you or your organization will get any data back and only offers an incentive for others to get involved in this type of illegal activity, we&rsquo;ve determined the appropriate path forward is not to pay the ransom,&rdquo; Grafana stated.

The company said it would release more details about the attack after completing its post-incident investigation.

BleepingComputer has contacted Grafana with a request for additional details about the breach, but we have not received a response by publishing time.

CoinbaseCartel escalates activity

The CoinbaseCartel launched last September and has been quite active this year, announcing more than 100 victims on its data leak portal. The gang focuses on data theft and uses the DLS to pressure victims into paying a ransom.

CoinbaseCartel listing Grafana on its extortion portal<br>Source: BleepingComputer

The gang announced on its site that they "are behind on many leaks," indicating increased breaches that may have yet to reach the public space.

According to multiple researchers, CoinbaseCartel consists of ShinyHunters and Lapsus$ affiliates that gain access to target networks via social engineering, various forms of phishing, and compromised credentials.

Threat intelligence specialist Joe Shenouda claims that the gang also deploys an in-memory tool called &ldquo;shinysp1d3r&rdquo; to encrypt VMware ESXi targets and disable snapshots.

Last year, BleepingComputer analyzed a ShinySp1d3r Windows encryptor developed by the ShinyHunters extortion group. At the time, the threat actor said that they were working on finishing encryptor versions for Linux and ESXi.

After publishing this article, the ShinyHunters extortion gang told BleepingComputer that the CoinbaseCartel is not linked to their group or ransomware operation.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

Video service Vimeo confirms Anodot breach exposed user data<br>Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data<br>US govt seeks Instructure testimony on massive Canvas cyberattack<br>Instructure reaches 'agreement' with ShinyHunters to stop data leak<br>NVIDIA confirms GeForce NOW data breach affecting Armenian users

CoinbaseCartel

Data Breach

Data Theft

Extortion

GitHub

Grafana

Ransom

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Microsoft Exchange, Windows 11 hacked on second day of...

grafana data stolen github coinbasecartel hackers

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.