missed GitHub – Grafana says a single GitHub workflow token was missed during a rotation after a TanStack npm supply-chain attack. That slip allowed attackers—linked to the Shai-Hulud malware campaign attributed to TeamPCP—to access Grafana’s private repositories, though Graf
On May 1, Grafana moved fast after it spotted malicious activity tied to infected TanStack packages. It rotated a “significant number of GitHub workflow tokens” as part of its incident response plan.
But one token slipped through.
That missed rotation became the opening the attackers needed. Grafana says the adversary used the unrotated workflow token to gain access to the company’s private repositories—despite Grafana’s belief, at the time, that at least one specific GitHub workflow was not impacted.
The chain began with the Shai-Hulud malware campaign, which is attributed to TeamPCP hackers. During that campaign, dozens of TanStack packages were published on the npm index with credential-stealing code. The malicious packages compromised developer environments, including Grafana’s.
When a malicious TanStack package was released, Grafana’s CI/CD workflow consumed it. In Grafana’s account of what happened, the info-stealer module then executed in its GitHub environment, exfiltrating GitHub workflow tokens directly to the attackers.
Grafana’s update says it detected the malicious activity resulting from the compromised TanStack packages on May 1 and immediately launched its incident response plan. Token rotation was a central step—until it wasn’t.
“We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories,” Grafana wrote.
“A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.”
Earlier, Grafana confirmed that the intruders stole source code. It also said there was no customer impact, and that the hackers would not receive a ransom payment.
As the investigation continued, the picture broadened beyond what was taken. Grafana says the intruder downloaded operational information and details the company uses for its business.
“This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform” — Grafana.
That distinction matters. Grafana stresses that this was not customer production data. And based on the latest evidence and investigation, Grafana says no customer production systems or operations have been compromised.
Grafana Labs also says its codebase was not modified during the incident. That means the code users downloaded during the events is considered safe, and users are not required to take any action.
If that assessment changes as the ongoing investigation turns up new evidence, Grafana Labs says it will notify impacted customers directly.
Grafana breach GitHub workflow tokens TanStack npm supply-chain attack Shai-Hulud malware campaign TeamPCP CI/CD compromise credential stealing private repositories