Grafana GitHub Hacked: CoinbaseCartel Stole the Entire Codebase — And Demanded Ransom

In a chilling reminder that no codebase is safe, Grafana Labs disclosed on May 17, 2026 that an unauthorized attacker obtained a privileged GitHub token, downloaded its entire source code repository, and then sent an extortion demand threatening to leak it publicly. The culprit? A cybercrime group called CoinbaseCartel — an offshoot of the notorious ShinyHunters and Scattered Spider ecosystems — that has racked up 170 victims across healthcare, tech, transportation, and manufacturing in less than a year.

Grafana refused to pay. Here’s what happened, how the attackers got in, and what every engineering team needs to learn before it’s their repo on the dark web.

How Attackers Got In: The “Pwn Request” Attack

The root cause was deceptively simple. A recently enabled GitHub Action contained a “Pwn Request” vulnerability — a misconfiguration in a workflow triggered on pull_request_target events. This event type grants the workflow elevated privileges (including access to production secrets) even when the triggering pull request comes from an external fork.

The attack chain worked like this:

• The attacker forked a Grafana repository and submitted a pull request containing a curl command that dumped all environment variables to a file encrypted with the attacker’s private key.
• When Grafana’s CI pipeline executed the workflow, it handed the attacker’s code access to production-level secrets — including the GitHub OAuth token.
• With that token in hand, the attacker cloned Grafana’s entire codebase within minutes.

This technique — known as a “Pwn Request” — has been documented in the security community for years, but it remains devastatingly effective because developers routinely enable pull_request_target without understanding the security implications. The Hacker News writeup confirmed that the compromised GitHub Action had been added only recently, suggesting an incremental change to CI/CD configuration introduced the exposure.

What Was Stolen — and What Wasn’t

Grafana confirmed that the attacker downloaded its proprietary source code repositories. This is significant. Grafana is one of the world’s most widely used open-source observability platforms, with over 20 million active installations worldwide. Its Enterprise codebase — the monetized layer on top of the open-source core — contains years of proprietary work on alerting, access controls, and advanced data-source integrations.

What the attacker did not access, according to Grafana’s disclosure: customer data. The breach was limited to internal GitHub repositories. No dashboards, no customer credentials, no telemetry were compromised. Organizations running Grafana Cloud or on-premise Grafana instances can continue operating normally.

That said, the theft of source code creates downstream risks. Security researchers warn that proprietary code in an attacker’s hands enables them to hunt for zero-day vulnerabilities at leisure — flaws they can weaponize before Grafana has any chance to patch them.

Meet CoinbaseCartel: The 170-Victim Extortion Machine

Attribution for the Grafana extortion was claimed by CoinbaseCartel, a data extortion crew that emerged in September 2025. Security researchers describe it as part of the same constellation of threat actors behind ShinyHunters, Scattered Spider, and LAPSUS$ — English-speaking, financially motivated hackers who specialize in sophisticated social engineering and cloud-native attacks.

Unlike traditional ransomware groups that encrypt files and demand payment for a decryption key, CoinbaseCartel focuses exclusively on data theft and extortion. The model is simpler: steal the data, prove you have it, threaten public release. No malware deployment, no complex ransomware toolkits. Just stolen credentials, bold demands, and a countdown timer.

The group’s 170 confirmed victims span healthcare, technology, transportation, manufacturing, and business services. The Grafana incident is their highest-profile tech company target to date. This aligns with a broader trend documented in Mandiant’s M-Trends 2026 report where extortion-only groups are growing faster than traditional ransomware operators.

Grafana’s Response: Refusal, Remediation, and Transparency

Grafana’s response deserves recognition for its speed and transparency. The company:

• Immediately invalidated the compromised GitHub token upon discovery
• Removed the vulnerable GitHub Action from all affected workflows
• Conducted a full audit of CI/CD secrets and access tokens
• Publicly disclosed the incident within 24 hours — a level of transparency that is unfortunately rare
• Refused to pay the ransom — and made that refusal public

Refusing to pay was the right call. Security experts consistently advise against ransom payments because payment does not guarantee data deletion, emboldens attackers, and funds future campaigns. The Instructure/Canvas breach earlier this month illustrated what happens when companies take the opposite path — paying ShinyHunters a ransom only to have the group attack again days later.

Grafana’s refusal, combined with rapid public disclosure, sets a healthier industry precedent. It also signals that the company is confident its source code does not contain exploitable secrets — a reassuring message for its enterprise customer base.

The Broader CI/CD Supply Chain Crisis

The Grafana breach is not an isolated incident. It fits into a pattern of CI/CD pipeline attacks that security researchers have been warning about for years but that organizations are only now experiencing at scale. The common thread: over-privileged automation in environments that are connected to production secrets.

GitHub Actions, the world’s most widely used CI/CD platform, is particularly susceptible because of its design: workflows run close to production secrets, they process code from external contributors, and developers often copy-paste Action configurations without understanding the permission model. The pull_request_target trigger is especially dangerous — it was designed to allow CI to comment on external PRs, but it grants far more access than most developers realize.

This also connects to supply-chain vulnerabilities we covered earlier this year — attackers increasingly target developer infrastructure rather than production systems, because developer machines and pipelines hold the keys to everything.

What Security Teams Must Do Right Now

If your organization uses GitHub Actions — and statistically, it does — the Grafana breach is a wake-up call. Here’s what to audit immediately:

• Audit every workflow using pull_request_target: If it accesses any secrets, it needs to be rewritten or isolated to a separate environment without production credentials.
• Apply the principle of least privilege to all CI tokens: Tokens used in CI/CD should have the minimum permissions required. Repository-scoped tokens, not organization-wide ones.
• Enable secret scanning and push protection: GitHub’s native tools can alert you if a token or credential is accidentally committed or exposed in logs.
• Rotate all GitHub tokens and OAuth apps quarterly: Assume any long-lived token is a liability waiting to be exploited.
• Review third-party GitHub Actions before use: Pinning to a specific commit hash rather than a tag prevents supply-chain substitution attacks.

Why Stolen Source Code Is More Dangerous Than You Think

There’s a temptation to minimize the Grafana breach because “no customer data was stolen.” That framing is dangerously incomplete.

Source code is a blueprint. With Grafana’s proprietary code in hand, CoinbaseCartel — or whoever they sell it to — can spend months performing private security research to find zero-day vulnerabilities. These would be vulnerabilities unknown to Grafana that could be exploited against every one of the 20+ million active Grafana deployments in the world.

This is the same threat model that makes government agencies and intelligence services so concerned about proprietary source code reaching adversarial hands. As Project Glasswing demonstrated, AI systems can now autonomously scan code for vulnerabilities at superhuman speed. An attacker with both stolen source code and an AI vulnerability scanner is an extraordinarily capable threat actor.

The Bottom Line

The Grafana breach should serve as a mandatory case study for every DevSecOps team in 2026. The attacker needed no sophisticated malware, no nation-state resources, no inside access. A single misconfigured CI/CD workflow was enough to download one of the most widely used observability platforms’ entire proprietary codebase in minutes.

Grafana’s transparent response and refusal to pay set a good example. Now it’s time for the rest of the industry to reciprocate by auditing their own pipelines before they become the next entry in CoinbaseCartel’s 170-victim trophy case.

The Grafana incident is also a reminder that cybersecurity is a never-ending process, not a one-time configuration. Your CI/CD pipeline is as valuable a target as your production database — start treating it that way.