Grafana's data breach stemmed from a GitHub workflow token that escaped rotation procedures following the TanStack npm supply-chain attack. The oversight left credentials exposed after the initial security incident.
Grafana confirmed this week that its recent security breach originated from a single GitHub workflow token that was not properly rotated in the aftermath of the TanStack npm package compromise.
The sequence of events began when attackers compromised the TanStack npm registry, a widely-used JavaScript library. During the incident response, Grafana identified the need to rotate sensitive credentials, including GitHub tokens used in automated workflows. However, one token slipped through the rotation process, remaining active and accessible to attackers who had gained access to Grafana's systems.
The token provided attackers with the ability to access Grafana's repository and associated infrastructure, enabling them to extract sensitive data. The company discovered the breach during subsequent security investigations and immediately initiated containment measures.
This incident underscores the critical importance of comprehensive token management during security incidents. When supply-chain attacks occur, organizations must systematically rotate all exposed credentials across their entire infrastructure—a process that requires careful tracking to ensure nothing is overlooked.
Grafana has since rotated all affected tokens and implemented enhanced monitoring for GitHub workflow activity. The company is working with affected customers and has disclosed details about the scope of accessed data.
The breach highlights a broader vulnerability in development pipelines: workflow tokens represent a high-value target for attackers, as they can grant access to source code repositories and CI/CD systems. Security teams increasingly face the challenge of managing hundreds or thousands of tokens across complex environments, making manual rotation processes error-prone.
Organizations are being advised to implement automated token rotation systems, adopt secrets management solutions, and conduct regular audits of active credentials. The incident also reinforces the cascading risk inherent in supply-chain compromises—when one trusted dependency is breached, the impact can extend far beyond the initial victim.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.