How the Breach Occurred
Grafana Labs disclosed on May 16, 2026, that an unauthorized party had gained access to its GitHub environment and downloaded the company’s private codebase. The intrusion was detected after a canary token deployed across thousands of endpoints triggered an alert to the security team.
The root cause involved a misconfigured GitHub Action. A vulnerability in a workflow triggered on pull_request_target events, known as a “Pwn Request” flaw, allowed external contributors to access production secrets during continuous integration runs. The attacker forked a Grafana repository, injected malicious code via a curl command, and dumped environment variables into an encrypted file. This method allowed extraction of privileged tokens. The attacker then deleted their fork to cover their tracks and used the compromised credentials to repeat the attack against four additional private repositories.
Impact and Response
After downloading the codebase, the attacker attempted extortion, demanding payment in exchange for not releasing the stolen code. Grafana Labs refused, citing FBI guidance that paying ransoms offers no guarantee of data recovery and incentivizes further illegal activity.
The company’s investigation found no evidence that customer data or personal information was accessed, and there was no indication of impact to customer systems or operations. Grafana Labs has since worked to revoke the compromised tokens, review the affected workflows, and implement additional safeguards to prevent similar attacks.
Source: Cyber Security News
