@osbytesGrafana Labs disclosed a token-scoped GitHub breach: a token reached the Grafana Labs GitHub environment, someone downloaded the codebase, extortion followed, and Grafana refused payment. Customer systems stayed out of the reported scope. The verifiable homework for everyone else is the usual machine-identity audit you already owe yourself.
What Grafana said in public
In posts on X summarized by The Hacker News, Grafana described an unauthorized party obtaining a token with access to the Grafana Labs GitHub environment, then downloading its codebase. The company's own framing, quoted in that summary, is that investigators saw no customer personal data accessed and no evidence of impact to customer systems or operations; credentials were invalidated and extra controls were added while a forensic review continues.
Cybersecurity Dive adds the mundane distribution detail that matters for receipts: Grafana also mirrored the same statement on LinkedIn, not only X, which is how a lot of security and IT leads actually see it.
Separately, Grafana declined a ransom tied to threats about publishing stolen code, pointing to FBI guidance that paying is a bad bet and fuels more crime. That is policy talk, but it is the same policy call every breached shop faces when the stolen asset is “bits,” not student records.
The workflow shape under investigation
Reporting describes a familiar GitHub Actions failure mode: a forked pull request plus a pull_request_target-style workflow running in a trusted context, then exfiltrating secrets from the environment. Grafana's own long-form postmortem may tighten or revise that story; treat the workflow detail as reporting about an investigation, not a final root cause from Grafana's security team.
Even if some of the tree is already public under OSS licenses, private forks, release engineering, issue security triage, and unreleased branches are still worth money to thieves. The extortion play here is not “we have a secret algorithm nobody has.” It is noise, embarrassment, phishing lures built from real file paths, and faster vulnerability research against whatever was not public yet.
What the public reporting actually points at
Two items from coverage map to specific things you can grep for in your own org tonight, not the generic identity-hygiene homily:
pull_request_targetpattern. GitHub's own hardening guide names the "pwn request" failure: a workflow withpull_request_targetchecks out the fork's HEAD into a context that holds repo secrets and writeableGITHUB_TOKEN. The fix is mechanical — either drop the trigger, gate fork checkouts behind a label that only collaborators can apply, or split into apull_requestworkflow that has no secret access plus a follow-upworkflow_runthat does. The grep is one line:grep -rn 'pull_request_target' .github/workflows/.- Extortion tabletop, decided in public. Grafana's stance — no pay, citing FBI guidance — is a useful precedent because it is on the record. Your material risk profile may differ when the stolen object is PII rather than code; the value of writing your answer down before the call is that "we don't pay" is a much shorter conversation at 3 a.m. than "what is our policy on paying."
The harder question Grafana coverage does not answer yet: which single token held that much repo reach? PAT, fine-grained PAT, GitHub App installation, Actions secret? Whatever shape Grafana's postmortem names is the same shape worth auditing on your side — not because the lesson is novel, but because the postmortem will land with a specific token type and a specific blast radius, and "we already audited that class" is a better Monday than "we have a meeting about it."
Sources
- Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt (The Hacker News) (carries Grafana's X-post text)
- Grafana Labs says hacker gained access to codebase through leaked token (Cybersecurity Dive) (LinkedIn-mirror distribution detail)
- Preventing pwn requests and other GitHub Actions hardening (GitHub Docs)