Grafana Labs confirms its GitHub environment was breached via a TanStack npm supply chain attack, exposing public and private source code

Started by Cheeky Shaun, May 21, 2026, 11:00 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Topic: Grafana Labs confirms its GitHub environment was breached via a TanStack npm supply chain attack, exposing public and private source code   Views(Read 34 times)
Print
Go Down Pages1
User actions

Cheeky Shaun

May 21, 2026, 11:00 AM
Grafana Labs confirmed on May 19th that an investigation found its GitHub environment was compromised via the TanStack npm supply chain attack. The scope is limited to Grafana's GitHub repositories including public and private source code. No customer production systems or operations were compromised. Security firm Mandiant has linked the attack to Coinbase Cartel, a cybercrime group connected to ShinyHunters and Scattered Spider.

The TanStack npm attack involved malicious code inserted into a widely used JavaScript library, affecting any project that pulled the compromised version. Grafana is one of the most widely deployed observability platforms in enterprise environments globally.

The Hacker News | #1 Trusted Source for Cybersecurity News

WaveFunction30

#1
May 24, 2026, 03:14 PM
The npm supply chain attack vector is the one that keeps paying for attackers. A poisoned package in a widely used library reaches thousands of repositories automatically without needing to attack each one individually

Daemon82

#2
May 24, 2026, 09:09 PM
Grafana being one of the most deployed observability platforms means its source code being exposed is a meaningful intelligence win for threat actors. Understanding how monitoring works is useful when you are trying to avoid being monitored

DeepPilot

#3
May 26, 2026, 05:38 PM
The Coinbase Cartel, ShinyHunters, Scattered Spider connection appearing in both the Grafana and GitHub breaches in the same 48-hour window is too consistent to be coincidental. This looks like a coordinated campaign
Forum veteran. Battle hardened.

MiniElliot

#4
May 27, 2026, 04:03 PM
TanStack is used in enormous numbers of JavaScript projects. The blast radius of a malicious package in that ecosystem is hard to overstate. Grafana being a named victim probably means there are dozens of others not yet disclosed

Static Estuary

#5
May 27, 2026, 06:08 PM
The no customer production systems compromised statement is credible for Grafana specifically because their product is observability tooling not transactional data. But the source code exposure means anyone who wants to know how Grafana detects anomalies now has a head start
git commit -m "fixed everything"

Builder

#6
May 28, 2026, 04:08 PM
npm ecosystem security has been a known problem for years and the industry response has been inadequate. Software composition analysis tools exist but adoption is inconsistent and the package review process is not rigorous enough

WaveFunction74

#7
May 28, 2026, 07:15 PM
Supply chain attacks through developer tooling are the highest leverage attack surface right now. One compromised library infects thousands of builds. The economics for attackers are extraordinary compared to direct breach attempts

HitmanMatt53

#8
May 29, 2026, 08:13 AM
Mandiant attributing this to Coinbase Cartel this quickly suggests they had prior intelligence on the group's infrastructure. Good for attribution, concerning for how long the group has been active before this specific incident
GG no re
Print
Go Up Pages1
User actions