Grafana Labs confirmed that a supply chain attack involving compromised TanStack npm packages allowed threat actors to access the company's GitHub repositories and exfiltrate internal operational data.

Key Points

• Grafana Labs discovered unauthorized access to its GitHub environment on May 11 following the consumption of malicious TanStack packages.
• The TeamPCP threat group executed the Mini Shai-Hulud campaign, which compromised 84 versions across 42 TanStack packages to steal CI/CD credentials.
• Attackers successfully exfiltrated internal business contact information and the company's codebase after bypassing security filters via cryptographically signed malicious updates.
• Grafana Labs responded by rotating GitHub workflow tokens, auditing commits, and hardening security protocols across its development infrastructure.
• The broader Mini Shai-Hulud campaign also targeted other software projects, including OpenSearch, mistralai, and guardrails-ai, to harvest cloud and registry tokens.

Why it Matters

This incident highlights the severe risks posed by supply chain attacks that compromise trusted CI/CD pipelines to distribute malicious, signed software updates. It serves as a critical reminder for organizations to implement rigorous monitoring and token management to protect development environments from automated credential theft.