Grafana says hackers hit its GitHub environment, demand ransom to prevent codebase release — but it's refusing to pay

Grafana says hackers hit its GitHub environment, demand ransom to prevent codebase release — but it’s refusing to pay

May 18, 2026

ransomware avast — (Image credit: Avast)

Grafana confirms its GitHub environment was accessed with a stolen token and its codebase exfiltrated
Maintainers stressed no customer data or systems were impacted and security measures were reinforced
A group called CoinbaseCartel claimed responsibility, linking the incident to broader ransomware activity

Popular open source software platform Grafana has confirmed its GitHub environment was compromised and its codebase exfiltrated.

In a breach notification, maintainers Grafana Labs explained that an unauthorized third party used a token to access its GitHub environment, where they were able to download the contents.

While it didn’t explain how the token was nabbed, Grafana said that the initial investigation “determined that no customer data or personal information was accessed during this incident,” and that there is no evidence that the breach impacted customer systems or operations.

Latest Videos From

“We immediately initiated forensic analysis and we believe we’ve identified the source of the credential leak,” the maintainers further explained. To mitigate the risk, it rotated the credentials and introduced additional security measures, without detailing what they are.

Grafana added that the attackers tried to extort the company, in exchange for deleting the stolen codebase, but stressed that it will take the FBI’s advice and not engage with the threat actors.

Their names were not mentioned in the announcement, but per The Hacker News, a collective called CoinbaseCartel claimed responsibility for the attack.

This group is relatively unknown, since it first emerged in September 2025. Allegedly, it spun out of ShinyHunters, Scattered Spider, and the Lapsus$ groups – some of the most active and most dangerous ransomware players right now.

In these past nine months, the group allegedly struck 170 organizations in different verticals, including technology, manufacturing, healthcare, transportation, and others.

Grafana is an open-source observability and monitoring platform used to visualize metrics, logs, and system performance through dashboards. Grafana Labs, the company running and maintaining the platform, claims its tools are used by more than 35 million users worldwide, helping it generate more than $400 million in annual recurring revenue.

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News andadd us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Search

RECENT PRESS RELEASES

MSTR Stock: Why Bitcoin Whale Just Took A Risky Turn

Why the bond market isn’t matching the stock market

11th Circ. Doubts Amazon’s Appeal Of Captive Audience Ban

New Prairie getting Amazon’s first Think Big STEM lab in Indiana

School Bus Carrying Students Struck By Tesla Monday Afternoon; No Injuries Reported

Harvard sold off its entire $87 million Ethereum stake just one quarter after buying it