Grafana Labs disclosed on May 16, 2026 that an unauthorized party obtained a token granting access to its GitHub environment and used it to download the company's private codebase. The intrusion was traced to a recently enabled GitHub Action containing a Pwn Request vulnerability: a workflow triggered on pull_request_target events exposed production secrets to external contributors. The attacker forked a Grafana repository, injected a curl command to exfiltrate environment variables encrypted with their key, deleted the fork to hide activity, then reused the stolen tokens against four additional private repositories. The breach was detected when one of Grafana's deployed canary tokens fired. The actor attempted to extort the company in exchange for not publishing the code; Grafana refused to pay and states no customer data or systems were affected.
- Grafana GitHub Token Breach Led to Codebase Download and Extorti(opens in a new tab)
- Grafana Labs Security Breach - Hackers Access GitHub and Downloa(opens in a new tab)
- Grafana Labs Confirms Security Incident Involving GitHub Codebas(opens in a new tab)
- Grafana GitHub Breach Exposes Source Code via TanStack npm Attac(opens in a new tab)