www.it-connect.fr
Grafana Codebase Stolen on GitHub, But the Company Refuses to Pay the Ransom
Hackers from the Coinbase Cartel group managed to compromise Grafana Labs' GitHub account after stealing an access token. Here's what we know about this cyberattack.
A Compromised GitHub Token at the Root of the Incident
Grafana Labs is the company behind the well-known Grafana data visualization platform, which you probably know. It is a globally recognized solution used by many companies, including Fortune 50 businesses and Cloud providers.
On May 17, 2026, Grafana Labs revealed that it had been the victim of a cyberattack following the compromise of a GitHub access token. It allowed the attackers to break into Grafana's repository and get their hands on the codebase. You may be wondering: Grafana is an open source solution, so what is the point of stealing source code that is already available to everyone on GitHub?
Here, we are talking about the codebase, so it is broader than that. There could be private/internal repositories, build scripts, or even source code not yet made available in the publicly accessible releases. In any case, this security incident appears to be limited to this data theft on GitHub.
Grafana Labs is also reassuring about the impact of this incident: no customer data or personal information was exposed, and its customers' systems were not affected.
Grafana Refuses to Fund Cybercrime
The attack was claimed by Coinbase Cartel, a cybercriminal group that added Grafana to its extortion portal. Their goal was simple: demand ransom payment from Grafana while threatening to publicly release the stolen source code. This shows that they were able to steal code not available in the public repositories; otherwise, it would not have been worth extorting.
Following this demand from the hackers, Grafana Labs made the right decision: not to pay the ransom. "Based on our operational experience and the FBI's public stance, which emphasizes that paying a ransom does not guarantee that you or your organization will recover data and only provides an incentive for others to engage in this type of illegal activity, we have determined that the appropriate course of action is not to pay the ransom.", you can read on X.
But who is behind Coinbase Cartel? Launched last September, this extortion group has shown particularly intense activity this year, with more than 100 claimed victims on its portal. The group appears to be especially active, even if it does not get as much attention as other groups such as TeamPCP or ShinyHunters.
Finally, note that the post-incident investigation is still ongoing, and Grafana plans to share more technical details once it is completed.
