thehackernews.com web signal

Grafana Refuses Extortion After GitHub Token Theft

cybersecurity open source security supply-chain extortion

Key insights

  • A pull_request_target GitHub Actions misconfiguration let attackers access production secrets from a forked pull request without repo write access.
  • CoinbaseCartel has claimed roughly 170 victims since September 2025, targeting developer infrastructure for data extortion rather than ransomware.
  • Grafana confirmed no customer or personal data was exfiltrated, limiting downstream breach liability despite full codebase exposure.

Why this matters

GitHub Actions misconfigurations like pull_request_target are pervasive across open-source and enterprise repositories, meaning the attack surface Grafana exposed is shared by thousands of engineering teams running similar workflows. Grafana's codebase exposure without customer data loss illustrates that source code itself is increasingly the primary extortion lever for groups like CoinbaseCartel, shifting the threat model for any company with a public-facing repo. Defenders and platform teams should treat CI/CD pipeline credentials as equivalent in sensitivity to production database credentials, and audit workflow permissions with the same rigor applied to cloud IAM roles.

Summary

Grafana Labs confirmed May 17 that attackers exploited a "Pwn Request" misconfiguration in a GitHub Actions workflow to steal a production token, download the company's full codebase, and demand a ransom that Grafana declined to pay. The attack vector was a pull_request_target workflow misconfiguration, a known GitHub Actions pitfall where untrusted code from a forked PR can access secrets scoped to the base repository. The threat actor used that access to exfiltrate the entire codebase before making extortion contact. Grafana cited FBI guidance in refusing payment. Essentially: (Grafana Labs, CoinbaseCartel) are the two named actors -- one a major observability platform, the other a data-extortion crew active since September 2025 with roughly 170 claimed victims. - No customer data or personal information was accessed, per Grafana's disclosure. - Compromised credentials were invalidated and all public-repository workflows were disabled following discovery. - CoinbaseCartel claimed responsibility, fitting a pattern of targeting developer infrastructure rather than end-user databases. The incident underscores that CI/CD pipeline misconfiguration has become a primary attack surface for extortion groups, not just nation-state actors.

Potential risks and opportunities

Risks

  • If CoinbaseCartel publishes Grafana's codebase on a leak site within the next 30-60 days, proprietary instrumentation logic and internal API structures become available to competitors and adversaries targeting Grafana deployments.
  • Enterprise customers running self-managed Grafana instances could face targeted attacks if leaked source code reveals undisclosed vulnerabilities before patches are issued.
  • Other observability and developer-tooling companies (Datadog, Honeycomb, Sentry) face increased scrutiny from customers and insurers over their own GitHub Actions configurations following this high-profile case.

Opportunities

  • CI/CD security vendors (Semgrep, Legit Security, Cycode) can use this incident to accelerate pipeline misconfiguration audit engagements at enterprises running GitHub Actions at scale.
  • GitHub itself has an opening to ship stricter default permissions or automated misconfiguration detection for pull_request_target workflows, strengthening platform trust among enterprise customers.
  • Cyber insurers with software-supply-chain coverage expertise (Coalition, Resilience) can reprice and expand policy terms around CI/CD credential exposure, capturing a segment previously underwritten as generic cloud risk.

What we don't know yet

  • The specific ransom amount CoinbaseCartel demanded has not been disclosed in any public reporting as of May 17.
  • Whether Grafana's source code has been published or offered for sale on extortion infrastructure since the refusal to pay remains unconfirmed.
  • The full list of affected repositories and whether any third-party dependencies or signing keys were exposed beyond the production token has not been detailed.

Originally reported by thehackernews.com

Read the original article →

Original headline: Grafana GitHub Token Breach: Codebase Downloaded, CoinbaseCartel Extortion Attempted, No Customer Data Accessed