Grafana Labs confirmed that unauthorized actors accessed its GitHub environment using a stolen token, resulting in the exfiltration of the company's proprietary codebase and an attempted extortion demand.

Key Points

• Grafana Labs reported that an unauthorized third party gained access to its GitHub environment via a compromised credential token.
• The company confirmed that no customer data, personal information, or production systems were impacted by the security breach.
• A threat actor group known as CoinbaseCartel claimed responsibility for the incident and attempted to extort the company.
• Grafana Labs has rotated all affected credentials and implemented additional security measures following a forensic investigation.
• CoinbaseCartel, which allegedly emerged in September 2025, is reportedly linked to members of the ShinyHunters, Scattered Spider, and Lapsus$ groups.

Why it Matters

This incident highlights the ongoing vulnerability of software supply chains to credential-based attacks, even for major platforms serving over 35 million users. By refusing to engage with extortionists, Grafana Labs is following standard cybersecurity guidance to prevent further exploitation and maintain the integrity of its open-source observability tools.