Grafana Labs Breach: Forgotten Workflow Token Exposes Internal Repositories

On May 19, 2026, Grafana Labs disclosed that a single GitHub workflow token, missed during an emergency rotation process, allowed attackers to access its private and internal repositories. The incident, first detected on May 11, represents the lateral expansion of a supply chain attack originally launched via a compromised TanStack npm package by the threat group TeamPCP. What began as a build environment infection evolved into an intellectual property breach followed by an extortion attempt.

From TanStack Malware to GitHub Access: Anatomy of the Escalation

The supply chain campaign that hit Grafana is part of a broader operation attributed to TeamPCP, a group active on npm and other package registries. The initial vector—a compromised TanStack package—served as a conduit to inject malware into the continuous integration (CI) environment. Once inside, the malware exfiltrated GitHub workflow tokens—non-human credentials used by CI/CD automation to authenticate against repositories.

Grafana responded with an aggressive token rotation, but the procedure was incomplete. As the company explained, a subsequent review revealed that a workflow originally believed to be unaffected was actually compromised. This opened a window of access that attackers exploited to broaden their reach from public repositories to private and internal ones.

The case highlights a recurring dynamic in supply chain attacks: while the immediate damage of a compromised package is often quantifiable, the persistence granted by a non-human identity token can be far more damaging. These identities proliferate invisibly within CI/CD workflows: every GitHub Action, third-party integration, and pipeline generates tokens often carrying broader scopes than necessary. Without a comprehensive inventory, emergency rotation remains a hit-or-miss operation.

The "Missed Token": The High Cost of Partial Remediation

The central technical failure was not the npm package compromise itself, but the failure to rotate a single workflow token. Grafana reported rotating a "significant number" of tokens, but one escaped the process. The phrasing is telling: it wasn't a hidden or poorly encrypted token, but rather an element lost in what was likely a manual or only partially automated inventory.

The consequences were significant. In addition to source code, attackers downloaded repositories used by teams to "collaborate and store internal operational information and other business details," according to Grafana. The exfiltrated data includes names and email addresses of business contacts. Crucially, Grafana stated that no information was taken from production systems or the Grafana Cloud platform. This distinction is vital: while customer hosted data remained secure, the company’s intellectual property and business relationship data were hit.

Uncertainties remain regarding certain aspects of the breach. It is unclear if the missed token was exposed exclusively via TanStack or through other vectors. Furthermore, it has not been verified whether the data listed by CoinbaseCartel on May 15 corresponds exactly to the material stolen via the Grafana token or if it originated from a separate access point. Grafana has not detailed which specific repositories were involved.

"We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories" — Grafana Labs (via The Hacker News)

TeamPCP and the Market for Stolen Source Code

TeamPCP is a known entity in these types of operations. BleepingComputer has documented previous supply chain campaigns on npm, PyPI, and Docker, with the group specializing in compromising package registries to gain entry into development environments. In this instance, the group claimed to have accessed approximately 4,000 internal private GitHub repositories, listing the access for sale for at least $50,000.

The sale post, reported by BleepingComputer, is explicit: "No low ball offers will be accepted, everything for the main platform is there and I very am happy to send samples to interested buyers to verify the absolute authenticity. There is a total of around ~4.000 repos of private code here." The claim refers to GitHub in general rather than Grafana specifically; it remains unverified if these 4,000 repositories include Grafana’s or represent a pool aggregated from multiple breaches.

On May 15, 2026, the group CoinbaseCartel listed Grafana Labs on its dark web site. The following day, Grafana received the extortion demand. By choosing not to pay, Grafana has aligned itself with the standard industry response to ransomware and data extortion, though this does not eliminate the risk of the stolen materials circulating on the underground market.

Defense Strategies: Securing Non-Human Identities

For organizations utilizing GitHub Actions and relying on npm packages, the Grafana incident provides a clear roadmap for immediate and long-term security measures.

• Inventory all non-human identities within CI/CD workflows, not just primary tokens. GitHub workflow tokens, deploy keys, integration secrets, and service accounts must be mapped automatically rather than via manual post-incident searches.
• Automate rotation and revocation with policies that do not rely on human memory. A token should ideally not persist beyond the duration of the job that generates it, and revocation capabilities must be faster than human reaction times.
• Segment workflow scopes to ensure a compromised token does not provide access to the entire repository fleet. Applying the principle of least privilege to automated identities limits the radius of lateral movement.
• Audit npm dependencies using provenance verification and behavioral analysis within the CI pipeline. While the compromised package was the entry point, the lack of detection within the pipeline allowed for the subsequent token exfiltration.

The Extended Supply Chain: Beyond the Clean Package

The takeaway from the Grafana incident is that modern supply chain attacks are multi-stage events. The TanStack package compromise was the detonator; the persistence via a forgotten token was the actual explosive. While companies invest heavily in dependency scanning and package signing, they often overlook the hygiene of the non-human identities that those packages encounter during the build phase.

For those developing software with GitHub Actions, the lesson is that token rotation is not a post-incident cleanup task—it is a core defense-in-depth mechanism. It determines whether a supply chain attack remains contained or escalates into a full source code breach. Grafana paid the price for one missed token in a presumably crowded inventory. For now, the cost is exfiltrated code and a public extortion attempt; for other companies, there is still time for prevention.

Frequently Asked Questions

Was Grafana Cloud customer data compromised?

No. According to Grafana Labs' official statement, there is no evidence that customer production systems or the Grafana Cloud platform were affected. The breach was limited to the company's GitHub environment.

Who is CoinbaseCartel and how are they related to TeamPCP?

CoinbaseCartel is the group that listed Grafana Labs on its dark web leak site on May 15, 2026. It is unclear if they are the same entity as TeamPCP or if they operate as an affiliate or separate broker for stolen data.

Why can a single token cause such extensive damage?

GitHub workflow tokens act as master keys for automation. If generated with a broad scope or attached to workflows with access to multiple repositories, their compromise allows for instant lateral movement across the entire exposed surface unless strict segmentation is in place.

Sources

• https://thehackernews.com/2026/05/grafana-github-breach-exposes-source.html
• https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
• https://www.bleepingcomputer.com/news/security/github-investigates-internal-repositories-breach-claimed-by-teampcp/

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/grafana-github-breach-exposes-source.html
• https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
• https://www.bleepingcomputer.com/news/security/github-investigates-internal-repositories-breach-claimed-by-teampcp/