Hackers Stole Grafana's Source Code Through a GitHub Security Flaw

On May 16, 2026, Grafana Labs announced that hackers had broken into its GitHub account and stolen the company's entire codebase. The attackers exploited a security weakness in one of GitHub's automated workflow tools. Grafana Labs says no customer data or systems were harmed—the theft was limited to the company's own source code, the underlying instructions that make its software work.

The company received a ransom demand from the attackers but refused to pay.

How the Attack Happened

The vulnerability lay in a GitHub Action, which is a tool that automates repetitive tasks in software development. Think of it like a self-checkout kiosk at a grocery store: you set it up to do a job automatically, but if you don't lock it down properly, someone else can walk up and make it do something you didn't intend.

In this case, the attackers submitted fake requests that tricked GitHub's automated system into handing over a special access token—essentially a digital key to the code repository. Once they had that key, they downloaded Grafana's source code.

Grafana Labs caught the break-in relatively quickly because the company had set up a digital trap called a canary token. A canary token is like a decoy alarm system hidden in your house: if a burglar triggers it, you know right away that someone has broken in. When the attackers accessed this hidden alarm, Grafana's security team got an alert and could shut down the intrusion before it spread further.

Who Did This

Security researchers attributed the attack to a group called Coinbase Cartel, a criminal organization that emerged in September 2025 and has targeted around 168 companies since then. Rather than using traditional ransomware that locks up a company's files and demands payment to unlock them, Coinbase Cartel steals valuable information and then demands money for it. This approach is simpler for the criminals and harder to trace than deploying encryption software across an entire company's network.

Why This Matters

The broader context here is that GitHub Actions has become a common way for companies to automate their development work, but this particular feature—called pull_request_target—can be risky if not set up carefully. We have seen this pattern before, when companies first started using automated build systems in the 2000s. Teams rushed to adopt the new tools without fully thinking through the security risks.

The vulnerability in this case allows attackers to submit fake requests that trick the automated system into running hidden commands with elevated access. If a company isn't careful about checking the code in those requests, the attacker can grab secret credentials stored in the workflow.

When source code gets stolen, it creates different problems than when customer personal information is compromised, but the damage can still be serious. Competitors could learn proprietary secrets about how the software works. More concerning, hackers can study the stolen code to find security holes they can exploit in future attacks against the company or its users.

For Grafana Labs specifically, much of its software is open source, meaning the code is already public. This may limit how much value the stolen source code has to competitors. However, proprietary internal tools and configuration files could still provide valuable information to attackers.

What Happens Next

Grafana Labs chose not to pay the ransom, which aligns with advice from law enforcement and security experts. Paying offers no guarantee that stolen information will actually be deleted, and it only encourages more attacks.

The company's quick detection thanks to the canary token system shows a smart security practice. By setting early-warning traps, companies can catch break-ins before attackers have time to move deeper into their systems and steal more.

Organizations using GitHub for their code development should review their automated workflows, especially ones that process pull requests from outside contributors. The security review should include not just the application code itself, but also all the automated tools and scripts that support development.

The emergence of groups like Coinbase Cartel points to how cybercrime has evolved. Rather than disrupting companies with encryption attacks, newer criminal organizations focus on stealing valuable information and demanding payment. This means companies now need to protect their source code and intellectual property as carefully as they protect customer data.