Grafana Labs Confirms Source Code Theft Following GitHub Token Compromise

Grafana Labs has disclosed a security incident involving unauthorized access to its GitHub environment after attackers obtained a compromised access token. The company confirmed that the attackers were able to download portions of its source code.

Grafana Labs is the organization behind Grafana, the widely used open-source analytics, monitoring, and real-time data visualization platform. The platform is used by more than 7,000 organizations worldwide, including major enterprises, cloud providers, telecommunications companies, financial institutions, government entities, e-commerce platforms, and infrastructure operators.

According to Grafana Labs, its investigation has found no evidence that customer data, personal information, or customer systems were impacted by the breach. The company stated that forensic analysis identified the source of the compromised credentials, which have since been invalidated. Additional security controls have also been implemented to help prevent similar unauthorized access in the future.

A threat group known as CoinbaseCartel has claimed responsibility for the incident and added Grafana Labs to its data leak site. As of now, no stolen data has been publicly released.

The attackers reportedly attempted to extort Grafana Labs by demanding payment in exchange for not publishing the stolen source code. Grafana Labs stated that it will not pay the ransom, citing public FBI guidance that paying attackers does not guarantee data will be returned or withheld and may encourage further criminal activity.

Grafana Labs said it plans to release additional details once its post-incident investigation is complete.

CoinbaseCartel, which emerged last September, has become increasingly active this year and has listed more than 100 alleged victims on its leak portal. The group primarily focuses on data theft and extortion, using public exposure threats to pressure organizations into paying.

Security researchers have reported that CoinbaseCartel may include affiliates connected to groups such as ShinyHunters and Lapsus$, with reported tactics including social engineering, phishing, and the use of compromised credentials. Some researchers have also linked the group to tools capable of targeting VMware ESXi environments and disabling snapshots, although ShinyHunters has denied any direct connection between CoinbaseCartel and its own operation.

The incident highlights the ongoing risk of credential-based attacks against developer environments and the importance of securing access tokens, monitoring GitHub activity, enforcing least-privilege access, and rapidly rotating exposed credentials.