Grafana breach caused by missed token rotation after TanStack attack

The Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following the TanStack npm supply-chain attack last week.

In the ongoing Shai-Hulud malware campaign attributed to TeamPCP hackers, dozens of TanStack packages infected with credential-stealing code were published on the npm index, compromising developer environments, including Grafana's.

When the malicious npm package was released, Grafana’s CI/CD workflow consumed it, and the info-stealer module executed in its GitHub environment, exfiltrating GitHub workflow tokens to the attackers.

The company explains that it detected malicious activity resulting from compromised TanStack packages on May 1, and immediately deployed the incident response plan, which included rotating GitHub workflow tokens.

However, one token was missed in the process, and the attacker used it to gain access to the company's private repositories.

Grafana breach caused by missed token rotation after TanStack attack

Other newsrooms on this story

Related reading

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Other newsrooms on this story

Related reading

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt

Grafana says stolen GitHub token let hackers steal codebase

OpenAI confirms security breach in TanStack supply chain attack

Grafana’s GitHub Token Incident: 5 Steps DevOps Teams Can Take to Recover Faster

Hackers access GitHub, download codebase in Grafana Labs breach