Grafana Labs security update: Latest on TanStack npm supply chain ransomware incident
On May 16, 2026, Grafana Labs confirmed a targeted attack by a cybercrime group that gained unauthorized access to our GitHub repositories and downloaded our codebase. They then issued a ransom demand under threat of data disclosure.
Since we posted our initial findings that day, our investigation has continued, and we are publishing this blog to share more details about our incident response and mitigation. A post-incident report will be published when our investigation is complete.
To date, the investigation has found no evidence that customer production systems or operations have been compromised. This incident was strictly limited to the Grafana Labs GitHub environment and did not affect our production systems or the Grafana Cloud platform.
After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business. This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform.
To be clear to the users of Grafana Labs' open source projects and the Grafana Cloud platform: our codebase was downloaded, but it was not altered. No action is needed from our customers or open source users at this time.
Our investigation is ongoing as we continue to review logs, telemetry, and all available data within our company-wide GitHub repos. Should we ever determine that any customer's systems or operations are impacted, we will notify them directly.
At Grafana Labs, earning and maintaining our community’s trust is foundational to everything we do. We recognize that customers rely on us as a trusted partner, and we do not take that responsibility lightly. We are sharing this update in the spirit of transparency because we understand you may have questions and because we take this matter seriously.
Summary and background
The incident originated from a TanStack npm supply chain attack via the Mini Shai-Hulud campaign. We detected the malicious activity on May 11 and immediately initiated our incident response plan.
We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories. A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.
On May 16, we received a demand from a bad actor for a ransom payment to prevent the release of our codebase. Grafana Labs determined the appropriate path forward is not to pay the ransom. This decision aligns with the FBI’s formal position that paying a ransom does not guarantee security and only serves to incentivize further criminal enterprise.
As soon as we were contacted by the ransom gang, we launched mitigation efforts, which have included rotating automation tokens, implementing enhanced monitoring, auditing all commits since the May 11 incident, and significantly hardening our GitHub security posture.
We have also notified federal law enforcement and will maintain an ongoing dialogue with them about the situation.
Impact and response
Current findings indicate the scope of this incident is limited to the Grafana Labs GitHub repositories, which include public and private source code along with internal GitHub repos.
There is no evidence that customer production systems or operations have been compromised.
As part of our standard security practices, we will share additional information from our post-incident review when our investigation is complete.
Grafana Labs is also taking steps to increase security measures to protect our systems. We are currently implementing significant measures to further secure our CI/CD (continuous integration and continuous deployment) pipelines and prevent a recurrence of this type of issue.
Our teams remain focused on the continued investigation and the deployment of increased security controls.
