What happened
Grafana Labs confirmed over the weekend that an unauthorized party obtained a GitHub access token and used it to download the company’s codebase. The extortion group CoinbaseCartel claimed responsibility on Friday, demanding payment to prevent release of the stolen code. Grafana Labs publicly declined to pay, citing longstanding FBI guidance that paying cybercriminals does not guarantee any outcome.
The company stated that no customer data or personal information was accessed and found no evidence of impact to customer systems or operations. The compromised credentials have been invalidated and additional security measures have been implemented. Grafana Labs said it believes it has identified the source of the credential leak but the investigation is ongoing. The company did not address what actions it would take if the codebase is released publicly.
CoinbaseCartel emerged last year as a data theft offshoot of the Scattered Lapsus$ Hunters collective. The group does not use ransomware but relies on stolen credentials and social engineering to access victim networks, and has attempted to extort more than 100 companies across multiple industries since September 2025.
Grafana is used by more than 7,000 customers for analytics and visualization dashboards tracking metrics and operational data.
Who is affected
Grafana Labs customers are not directly affected based on current findings, with the company confirming no customer data was accessed. The primary risk is to Grafana Labs itself if the codebase is published, which could expose proprietary code and potentially reveal security-relevant implementation details to threat actors.
Why CISOs should care
Grafana’s public refusal to pay and its transparent communication about the incident is worth noting as a response posture. The company cited FBI guidance rather than making the decision purely on commercial grounds, which provides a defensible rationale for a decision that carries real risk of codebase publication.
The CoinbaseCartel’s credential and social engineering approach, without ransomware deployment, also represents a threat model that many organizations are underweighted against. A single compromised GitHub token with broad repository access is sufficient for this group’s entire attack chain.
3 practical actions
- Audit GitHub personal access token scope and lifetime across your organization: CoinbaseCartel’s access came through a single token with sufficient scope to download the entire codebase. Review all GitHub tokens in use across your environment, apply least-privilege scoping, enforce token expiration policies, and rotate any tokens that cannot be confirmed as unexposed.
- Implement GitHub audit log monitoring for anomalous repository download activity: A bulk codebase download via a single token should produce detectable patterns in GitHub audit logs, including unusual clone or archive operations at volume. Configure alerting on large-scale repository access events outside of normal CI/CD and developer activity patterns.
- Develop a public communication posture for extortion scenarios in advance: Grafana Labs issued a clear public statement quickly, explaining the ransom refusal rationale without providing operational details that could assist the attackers. Having pre-approved communication frameworks for extortion scenarios reduces decision-making pressure during an active incident and supports consistent messaging to customers and stakeholders.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.