Grafana Labs has confirmed that an unauthorized party obtained credentials granting access to the company’s GitHub environment, allowing the attacker to reportedly download portions of the company’s internal codebase.
The disclosure was made in a public statement posted by Grafana on X, where the company said it recently discovered unauthorized access tied to a compromised token connected to its GitHub infrastructure.
According to Grafana, the incident did not impact customer systems or expose customer or personal data.
The company stated that it immediately launched a forensic investigation after discovering the activity and believes it has identified the source of the credential leak. Grafana said the compromised credentials have since been invalidated and additional security controls were implemented to prevent further unauthorized access.
The company also revealed that the attacker attempted to extort Grafana after allegedly downloading the codebase.
🚨 We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase. (1/6)
— Grafana (@grafana) May 17, 2026
Grafana says it refused ransom demand
In its public statement, Grafana said the attacker attempted to blackmail the company and demanded payment in exchange for withholding the stolen data from public release.
The company stated that it chose not to pay the ransom demand, citing longstanding FBI guidance discouraging organizations from negotiating with extortion actors.
“Paying a ransom doesn’t guarantee you or your organization will get any data back,” Grafana quoted from FBI guidance in its statement.
The company did not disclose how long the attacker may have had access to its GitHub environment, whether private repositories were affected, or exactly which portions of the codebase were allegedly downloaded.
Grafana develops widely used observability and monitoring platforms including Grafana Cloud and self-hosted enterprise tooling used across cloud infrastructure, DevOps environments, and enterprise monitoring deployments.
CoinbaseCartel reportedly linked to incident
Grafana did not publicly attribute the incident to any specific threat actor.
However, according to reporting from The Hacker News citing threat intelligence sources and cybercrime monitoring platforms, the incident has allegedly been claimed by a group known as CoinbaseCartel.
Researchers have previously described CoinbaseCartel as a data extortion operation linked to broader cybercriminal ecosystems associated with groups like ShinyHunters, Scattered Spider, and LAPSUS$.
The group reportedly focuses primarily on credential theft, source code theft, and extortion rather than traditional ransomware encryption attacks.
BreachNews previously covered related activity involving extortion-focused operations tied to the broader ShinyHunters ecosystem in our reporting on the Instructure Canvas breach and Vercel’s confirmed internal systems breach.
Developer infrastructure remains a growing target
The incident highlights continuing risks surrounding developer infrastructure, GitHub environments, CI/CD systems, and credential security as attackers increasingly target source code repositories and software development pipelines.
Even when customer environments are not directly impacted, unauthorized access to internal repositories can potentially expose proprietary code, infrastructure configurations, secrets, deployment logic, or internal tooling.
The disclosure also arrives during a broader surge in software supply-chain and developer-focused attacks, including the recent Mini Shai-Hulud campaign that targeted GitHub Actions environments, npm ecosystems, and trusted publishing workflows.
At time of publication, Grafana had not disclosed whether any stolen code or repositories had been publicly released.
The company said it plans to share additional findings after its post-incident review is completed.
