On May 11, 2026, Grafana Labs disclosed that its GitHub repositories were accessed by threat actors exploiting a compromised GitHub workflow token that was not rotated following the TanStack supply chain attack. This token allowed attackers to access both public and private source code repositories and internal business-related information. The incident was limited to repository access; no production systems or the Grafana Cloud platform were affected. The stolen codebase was downloaded but not modified. Grafana responded by rotating tokens, hardening its GitHub security posture, refusing ransom demands, and involving law enforcement. The attack stemmed from the broader Mini Shai-Hulud supply chain attack impacting multiple NPM and PyPI projects.

The attackers gained unauthorized access to Grafana's GitHub repositories, resulting in theft of source code and internal operational data including business contact information. Production systems and the Grafana Cloud platform were not impacted, and the codebase was not altered. There is no indication of exploitation beyond repository data theft. No customer environments were affected, and no operational disruption occurred.

Grafana has rotated GitHub workflow tokens and hardened its GitHub security posture following the incident. Since the compromised token was not initially revoked, organizations should ensure all tokens and credentials are promptly rotated after any suspected compromise. Grafana has stated no action is required from customers or open source users. Monitoring and securing supply chain credentials and tokens is critical to prevent similar incidents. Law enforcement has been notified.