Grafana Labs GitHub Compromise via TanStack npm Supply Chain Attack

Published Date: May 20, 2026
Category: ShadowOpsIntel
Share:

Grafana Labs disclosed a targeted intrusion in which a cybercrime group obtained unauthorized access to its GitHub, exfiltrated source code and internal collaboration repositories, and issued an extortion demand threatening public release of the stolen data. The intrusion was scoped to the GitHub environment; per Grafana, no production systems or the Grafana Cloud platform were affected, and the codebase was downloaded but not altered.

Severity: Moderate

Attribution And Campaign

  • Initial access vector: TanStack npm supply chain compromise, attributed to the “Mini Shai-Hulud” campaign (a follow-on / variant of the broader Shai-Hulud npm worm activity tracked in the npm ecosystem).
  • Actor profile: Financially motivated cybercrime group conducting data-theft extortion (no encryption component reported despite “ransomware” framing in the title this is exfiltration-only extortion).
  • Threat actor not publicly named in the disclosure.

Attack Details

  1. Initial Access — Supply Chain (T1195.002): Malicious TanStack npm package version pulled into Grafana’s build environment.
  2. Credential Access (T1552.004 / T1528): Payload harvested CI/CD secrets, specifically GitHub workflow tokens.
  3. Detection event: Malicious activity detected internally on May 11, 2026; IR plan activated.
  4. Incomplete remediation: During initial response, Grafana rotated a large number of GitHub workflow tokens but missed at least one token tied to a workflow originally assessed as unaffected.
  5. Persistence/Access via stolen token: Attackers used the missed token to access GitHub repositories.
  6. Collection & Exfiltration (T1213 / TA0010): Downloaded public source, private source, and internal operational repositories (including business contact names and emails used in professional correspondence).
  7. Impact — Extortion (T1657): On May 16, 2026, ransom demand delivered under threat of code/data disclosure.

Timeline

DateEvent
May 11, 2026Malicious npm activity detected; IR initiated; token rotation begins
(Between 11–16 May)Attacker leverages overlooked workflow token to access repos and exfiltrate data
May 16, 2026Ransom demand received; Grafana publishes initial findings
May 19, 2026Detailed update published; federal law enforcement notified

Grafana’s Response

  • Ransom: not paid, citing alignment with FBI guidance that payment does not guarantee non-disclosure and incentivizes further criminal activity.
  • Mitigations enacted: rotation of automation tokens, enhanced monitoring, audit of all commits since May 11, hardening of GitHub security posture, CI/CD pipeline hardening in progress.
  • External engagement: Federal law enforcement notified.

Recommendations

  1. Move away from long-lived GitHub Personal Access Tokens (PATs) or static repository secrets. Implement OpenID Connect (OIDC) to allow GitHub Actions to authenticate directly with cloud providers and internal systems using short-lived, automatically rotating trust tokens.
  2. Ensure all GitHub Actions workflows explicitly define the minimum required permissions using the permissions: key in YAML configurations (e.g., restricting contents: read rather than allowing write access).
  3. Deploy automated tools (like GitHub Secret Scanning or GitGuardian) to block commits containing plaintext secrets. Enable Push Protection to prevent developers from accidentally pushing active credentials to repositories.
  4. Enforce the use of exact version pinning or strict lockfiles (package-lock.json or yarn.lock) to prevent automated upgrades to compromised upstream packages during automated builds.
  5. Embed SCA tools (e.g., Snyk, GitHub Dependabot, or Socket.dev) into the CI pipeline. Configure these tools to block build deployment if a dependency is flagged for known malware, typosquatting, or sudden, unverified author changes.
  6. When a credential leak is detected, the incident response playbook must mandate an absolute revocation of all active sessions and associated tokens, rather than relying on a manual, itemized rotation which is prone to human oversight.

Source:

  • https://grafana.com/blog/grafana-labs-security-update-latest-on-tanstack-npm-supply-chain-ransomware-incident/
  • https://www.linkedin.com/posts/here-is-the-latest-update-on-our-investigations-share-7461591117050855424-c48I/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert