Grafana Labs publicly confirmed this week that attackers stole a GitHub access token through a misconfigured CI/CD pipeline, downloaded private source code repositories, then attempted to extort the company — and walked away empty-handed.
The breach, announced via a six-tweet thread on X, traces back to a subtle but well-known class of GitHub Actions vulnerability called a "Pwn Request." A recently enabled GitHub Action workflow configured to trigger on pull_request_target events inadvertently granted external contributors — anyone who could open a pull request — access to production secrets during CI runs.
The attacker's method was methodical. By forking a Grafana repository, injecting malicious code via a curl command, and dumping environment variables to a file encrypted with a private key, the threat actor extracted privileged tokens, then deleted their fork to cover their tracks before leveraging the stolen credentials against four additional private repositories.
What stopped the attacker from going completely undetected? Their own curiosity. One of the thousands of canary tokens — invisible tripwires Grafana embeds across its code and infrastructure — was triggered, immediately alerting the global security team. Canary tokens are decoy credentials designed to fire an alert the moment they're used, exposing access that would otherwise go unnoticed.
Grafana's investigation found no evidence of code modifications, unauthorized access to production systems, or exposure of customer data. The company revoked all compromised tokens, disabled the vulnerable workflows, and ran a full credential audit using tools including Trufflehog and Gato-X.
That didn't stop the attacker from trying their luck. After downloading the private codebase, they escalated to extortion — demanding payment in exchange for not releasing the stolen code. Grafana refused. The company cited FBI guidance, noting that paying ransoms offers no data-recovery guarantee and only incentivizes more attacks.
Reports from Hackmanac and Ransomware.live attribute the attack to CoinbaseCartel, a data extortion crew that emerged in September 2025 and is assessed to be an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. Unlike traditional ransomware groups, CoinbaseCartel focuses exclusively on data theft and extortion, and has already claimed over 170 victims across healthcare, technology, transportation, and manufacturing.
The incident lands as part of a troubling pattern. It follows Instructure's controversial decision to settle with ShinyHunters after the group threatened to leak terabytes of data from thousands of U.S. schools. Grafana's refusal to pay sets a different precedent — one that the FBI has long advocated for.
For developers and security teams, the Grafana incident is a practical reminder: audit any GitHub Actions workflow using pull_request_target triggers in public repositories, restrict CI secrets to least-privilege scopes, and deploy canary tokens across sensitive codebases.
The tripwire is what saved Grafana from a far longer dwell time — threat intelligence from Mandiant suggests the average gap between credential theft and active exploitation is 11 days. Grafana caught it before that clock ran out.