Grafana says attackers gained access to its private GitHub repositories after a GitHub workflow token was missed during rotation following the TanStack npm supply-chain attack. The malicious TanStack package executed in Grafana's CI/CD environment, exfiltrated workflow tokens, and led to theft of source code plus some operational business contact information. Grafana says no customer production systems or cloud data were affected.
Ionut Arghire
2026.05.22
99% relevant
This article is a direct update on the same Grafana incident, adding that Grafana attributes the intrusion to the TanStack/Mini Shai-Hulud supply-chain attack, says attackers downloaded public and private source code plus internal operational and business-contact data, and notes the attackers sent a ransom demand that Grafana refused to pay.
Sergiu Gatlan
2026.05.21
74% relevant
The article connects GitHub’s breach to the same underlying TanStack npm supply-chain campaign that also affected Grafana, providing additional context on the broader attack chain, Nx Console compromise, and TeamPCP-linked activity.
Bill Toulas
2026.05.20
100% relevant
The article provides substantive new facts about the Grafana breach itself, specifically tying the intrusion to the TanStack package compromise and a missed GitHub token rotation, and it does not match any listed existing tracked story.
2026.05.18
73% relevant
This is the same underlying TanStack/Shai-Hulud supply-chain event referenced in the Grafana story, and adds specific root-cause and mitigation details from TanStack: abuse of pull_request_target, GitHub Actions cache poisoning, removal of that workflow pattern, cache disabling, SHA pinning, stronger 2FA, and discussion of invitation-only PRs.