Grafana Labs, whose observability dashboards run inside the infrastructure of more than 7,000 organizations worldwide — including 70% of Fortune 50 companies — disclosed May 17 that an attacker stole a privileged access token from its GitHub environment, downloaded the company's entire private codebase, and then demanded a ransom to stay quiet. Grafana refused to pay. The code has not yet been published.
The breach landed days after a separate, AI-assisted campaign scanned hundreds of repositories for the same category of GitHub Actions misconfiguration — suggesting that what hit Grafana was not a targeted strike on one company but a systematic sweep of a vulnerability class that most organizations have not audited.
A Single Misconfigured Workflow Opened the Door
The attack exploited what security researchers call a "Pwn Request" vulnerability, a well-documented flaw in workflows configured to trigger on GitHub's pull_request_target event. When a workflow uses this trigger without properly isolating the execution environment, it runs code from a forked — and potentially attacker-controlled — repository inside the trusted CI context where organization secrets are loaded.
The attacker forked a public Grafana repository and injected malicious code that, when the vulnerable workflow ran, dumped environment variables to an encrypted file and extracted a privileged GitHub access token. With that token, the attacker downloaded Grafana's full private codebase and extended the compromise to four additional private repositories. The fork was then deleted to remove the most visible forensic trace.
Grafana only learned of the breach when one of its canary tokens — lightweight, fake credentials seeded throughout the environment specifically to fire an alert the moment anyone touches them — was triggered. By that point, the download was complete.
The compromised credentials have since been invalidated, the vulnerable workflow has been removed, and all workflows across public repositories have been disabled pending review, Grafana said in a six-part post on X on May 17. A forensic investigation is ongoing.
CoinbaseCartel Claims the Attack
Grafana has not formally attributed the intrusion to any named group. However, the extortion outfit operating under the name CoinbaseCartel has listed Grafana on its dark web data leak site as of this writing, though it has not published any of the stolen code.
CoinbaseCartel emerged in September 2025 and has since claimed more than 170 victims across technology, healthcare, manufacturing, transportation, and business services, according to threat intelligence from Halcyon, Fortinet FortiGuard Labs, and Ransomware.live. Analysts at Bitdefender ranked the group among the ten most active extortion operations during both September and December 2025.
The group's model differs from traditional ransomware in one important respect: it does not encrypt systems. Instead, CoinbaseCartel steals data and threatens to publish it unless paid — a design that bypasses the operational complexity of deploying encryption software while generating comparable pressure on victims. Because there are no encrypted files to decrypt, paying the ransom does not restore anything that was taken; it purchases only silence, with no guarantee the silence will hold.
Intelligence firm Hudson Rock analyzed more than 100 of the group's claimed victims and found that the majority traced back to employee credentials previously captured by infostealer malware — in some cases years before the breach occurred. Aged, unrotated logins to cloud platforms and file-transfer services appear to be the group's primary entry point across most of its targets. The Grafana intrusion, which exploited a CI/CD workflow misconfiguration rather than a stolen cloud login, may represent a tactical variation.
ShinyHunters, one of the criminal ecosystems analysts have associated with CoinbaseCartel's affiliates, has publicly denied any direct connection to the group.
Grafana Cites FBI Guidance in Refusing to Pay
Grafana's decision not to pay was grounded in explicit Federal Bureau of Investigation policy. The FBI states publicly that paying a ransom "doesn't guarantee you or your organization will get any data back" and "offers an incentive for others to get involved in this type of illegal activity."
That calculus was reinforced by the nature of the stolen material. Grafana's software is largely open-source; the proprietary components represent engineering investment and commercial differentiation, but the company noted they hold limited utility as leverage compared with, for example, customer records or financial data. Grafana confirmed no customer data or personal information was accessed during the incident, and it found no evidence of impact to customer systems or operations.
The contrast with a contemporaneous breach is instructive. Education technology company Instructure, which runs the Canvas learning management system, did negotiate and pay a ransom following a separate incident that involved the theft of staff and student data, according to reporting by TechCrunch. Grafana's refusal — and its simultaneous public disclosure on the same day the ransom demand arrived — sets a different precedent.
The Vulnerability Class Is Actively Being Swept
The pull_request_target workflow trigger has been a documented security risk since at least 2021. GitHub's own Security Lab warns that it runs with write permissions and secret access regardless of whether the triggering pull request originates from a fork outside the organization.
Security researchers at Orca Security published detailed exploitation walkthroughs of the vulnerability class in 2025, demonstrating successful attacks against workflows maintained by Fortune 500 companies and major open-source projects. A campaign tracked by Wiz Research between March and April 2026 used AI-generated pull requests to open more than 500 malicious submissions across hundreds of repositories, targeting the same misconfiguration and extracting secrets from at least 50 of them before detection.
The Aqua Security vulnerability scanner Trivy suffered a related attack in February and March 2026 when a threat actor exploited a pull_request_target workflow that had been flagged as vulnerable by an automated tool months earlier and left unpatched. The attacker stole a privileged access token and ultimately poisoned 75 of 76 version tags in Trivy's GitHub Actions distribution — meaning any CI/CD pipeline that pulled in Trivy by tag during the exposure window executed attacker-controlled credential-stealing code alongside the legitimate scanner.
The pattern across these incidents is consistent: attackers are not hunting for exotic zero-day vulnerabilities. They are running automated sweeps for a known, documented configuration error that is widespread in the GitHub ecosystem and that, once found, hands them the keys to CI/CD secrets without deploying a single byte of malware on any endpoint.
What Security Teams Can Do Now
For organizations running GitHub Actions, the immediate priority is reviewing any workflow that uses the pull_request_target trigger to confirm that it does not check out or execute code from the triggering pull request. Workflows that require secret access should use scoped, short-lived tokens and enforce reviewer approval before secrets are exposed.
Canary tokens — the only detection signal that worked in Grafana's case — are free to deploy and trivial to set up. Their absence means that a credential theft and full-repository download could complete silently before any alert fires.
The broader lesson from the Grafana incident is one the security community has articulated repeatedly without yet changing industry practice: CI/CD pipelines carry production-level trust and are exposed to internet-sourced input through every public pull request. Treating them as implicitly secure internal systems is no longer defensible.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
