Grafana Codebase and Other Data Compromised by TanStack Supply Chain Attack

Post Views: 8

TanStack Supply Chain Attack Exposes Grafana Codebase

In late May, Grafana Labs discovered that their GitHub repositories had been compromised as a result of a supply chain attack via TanStack.

Incident Overview

Grafana Labs’ GitHub repositories were compromised due to a supply chain attack via TanStack.
The attack was carried out by a sophisticated attacker who exploited vulnerabilities in TanStack and other prominent NPM and PyPI projects.
The malware used in the attack was called Mini Shai-Hulud and was designed to steal sensitive information from victims’ systems.

Attack Details

Grafana detected suspicious activity on May 11 and promptly rotated their GitHub workflow tokens. However, one token remained active, allowing the threat actor to access Grafana’s GitHub repositories.

According to Grafana, “This previously thought secure token had indeed been compromised.”

The attackers then demanded a ransom payment from Grafana, which was refused. In response, Grafana strengthened their GitHub posture, notified law enforcement, and conducted a comprehensive investigation.

Preliminary Findings

No customer production systems or operations were compromised.
The hackers stole Grafana’s codebase, internal operational information, and business details.
These stolen assets included business contact names and addresses, but not any sensitive data processed through the Grafana Cloud platform.

Investigation and Response

Grafana is working closely with authorities to identify the perpetrators and prevent similar attacks in the future. The company is also reviewing their security measures to ensure they can better withstand potential future threats.