Grafana Confirms GitHub Breach After Coinbase Cartel Demands Ransom — Codebase Stolen via Compromised Token
Grafana Labs has confirmed a data breach after attackers used a compromised token to access the company's GitHub environment and download its entire codebase. The open source visualization and analytics platform disclosed the incident on Sunday, two days after cybercrime group Coinbase Cartel listed Grafana on its leak site with the message: "We can cause you more damage than you would ever imagine."
The company said no personal or customer information was stolen and that the breach has not impacted customer systems or operations. Grafana confirmed the attackers demanded a ransom to prevent the source code from being leaked but has refused to pay. The compromised credentials have been reset and a forensic investigation is underway.
Coinbase Cartel listed Grafana on May 15, though no data had been published at the time of writing. The group, active since September 2025, operates as a pure extortion operation — no file-encrypting ransomware, just data theft followed by ransom demands. Their leak site currently lists 105 victims.
What makes Coinbase Cartel significant is its lineage. Cybersecurity firms have linked the group to an alliance between ShinyHunters, Scattered Spider, and Lapsus$ — three of the most prolific cybercrime operations of the past several years. Members have been collaborating since at least mid-2025, with some evidence suggesting the partnership extends back to 2024. The alliance has been conducting a sustained data theft campaign under the ShinyHunters banner, claiming intrusions against a growing list of high-profile targets including Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic.
The Grafana breach follows a pattern consistent with this alliance's operational model: compromise developer infrastructure through stolen credentials or tokens, exfiltrate high-value intellectual property, and leverage the threat of public exposure to extract payment. The targeting of a widely deployed open source platform's codebase carries additional supply chain implications — access to proprietary source code enables identification of vulnerabilities that could be exploited against Grafana's extensive user base.
Significance:
The convergence of ShinyHunters, Scattered Spider, and Lapsus$ into Coinbase Cartel represents an escalation in the cybercrime ecosystem. These groups individually demonstrated sophisticated social engineering, credential theft, and extortion capabilities — combined, they present a formidable threat to technology companies. Grafana's decision not to pay is consistent with industry guidance, but the 105 victims listed on Coinbase Cartel's site suggest many others are facing the same calculus. Organizations using Grafana should monitor for any downstream implications if the source code is eventually leaked, and all technology companies should audit GitHub token management and access controls given the breach vector.
