On May 16, 2026, Grafana Labs disclosed a significant security incident in which an unauthorized threat actor gained access to its GitHub environment, stole a privileged token, downloaded private source code repositories, and subsequently attempted to extort the company with a ransom demand. Grafana Labs refused to pay, citing FBI guidance that ransom payments do not guarantee data recovery and only incentivize further criminal activity.
How the Breach Unfolded
The attack began with the exploitation of a misconfigured GitHub Actions workflow — specifically, a workflow triggered on pull_request_target events that inadvertently granted external contributors access to production secrets during CI runs. This class of vulnerability, known as a “Pwn Request,” is an underappreciated risk in open-source repositories where forked pull requests can trigger privileged pipelines.
The attacker proceeded methodically:
- They forked a Grafana repository and injected malicious code via a
curlcommand embedded in the CI workflow. - The injected code dumped environment variables — including privileged GitHub tokens — to a file encrypted with a private key, enabling silent exfiltration.
- After extracting the credentials, the attacker deleted their fork to cover their tracks.
- Using the stolen token, they pivoted to four additional private repositories and downloaded Grafana's codebase.
Detection Through Canary Tokens
Grafana Labs detected the intrusion through one of its thousands of deployed canary tokens — specialized bait credentials that alert security teams the moment they are used. When the attacker triggered the canary, Grafana's global security team was immediately notified and began incident response.
The company's containment actions were rapid:
- All compromised credentials were immediately invalidated.
- The vulnerable GitHub Action was removed from all repositories.
- All workflows across public repositories were disabled pending a full security review.
No Customer Data Compromised
According to Grafana Labs' investigation, no customer data or personal information was accessed during the incident, and there is no evidence of impact to customer systems or operations. The breach was confined to internal source code repositories.
Ransom Demand Refused
Following the exfiltration of the private codebase, the attacker escalated to extortion, demanding payment in exchange for not publicly releasing the stolen code. Grafana Labs declined, citing FBI guidance that states paying ransoms neither guarantees data recovery nor prevents further disclosure — and that payment only encourages further criminal activity.
The incident drew mixed reactions: many praised Grafana for its transparency and rapid public disclosure, while others noted the irony of an observability company missing initial compromise indicators on its own CI/CD infrastructure.
Broader Implications for CI/CD Security
The breach has reignited debate around CI/CD pipeline security and software supply chain risks. The attack vector — a misconfigured pull_request_target workflow — is a common configuration found in thousands of open-source repositories and is widely underestimated as an attack surface.
Recommended mitigations for organizations include:
- Auditing all GitHub Actions workflows that use
pull_request_targetwith access to secrets. - Restricting workflow permissions to the minimum required scope.
- Deploying canary tokens in CI/CD secrets and environment variables to detect unauthorized use.
- Requiring manual approval for all workflows triggered from forks.
- Regularly rotating CI/CD credentials and monitoring access logs for anomalies.
Grafana Labs has committed to sharing additional findings from its post-incident review, reinforcing its commitment to transparency with the developer and security communities. This incident is a valuable reminder that even mature security programs can be exposed through supply chain and CI/CD misconfigurations.